On Thursday 27 December 2001 04:19 am, Christian Biesinger wrote: > Huh? > The problem are not invalid URLs, they are valid URLs; for example, in > POST�Data.�This�could,�would�Mozilla�not�block�these�ports,�for > example be used to send email from the user's IP by posting form data > to a SMTP Server.
On Thursday 27 December 2001 07:11 am, David Illsley wrote: > If you READ the posting and paper I pointed to, you'll see that with > perfectly valid URLs and HTML form value contents it it possible to > carry out FTP commands using mozilla as the source of the attack. > > Here is a link to the CERT warning about this vulnerability: > http://www.kb.cert.org/vuls/id/476267 > > This is a vulnerability and mozilla's is currently the best way of > protecting against this. If you can come up with a better way of > fixing Okay, so we can call this "cross-protocol scripting". For example, I serve you a web page that when you click SUBMIT, posts the data to your internal SMTP server behind your firewall. Very clever. Why do they say that FreeBSD is "Not Vulnerable"? Are they simply referring to the a stock installation of FreeBSD (which probably doesn't carry Mozilla)? In any case, my suggestion is that a new Security option be provided that lets me list alternate ports that I deem to be OK: *:79 bar:8000 So does that qualify for the $10? ;-) On Thursday 27 December 2001 04:36 am, JTK wrote: >> Huh? >> The problem are not invalid URLs, they are valid URLs; > > Nonono, they're invalid - they contain linefeeds etc which are > specifically forbidden by whatever the official URL spec is.��This�was > all gone over in excruciating detail and I'm sure all the sad details > are Googleable. No, the URL contains no linefeeds: http://foo:79/ That's it. It wasn't even a POST, but even it were, there wouldn't be any linefeeds in that URL either. -Chuck
