Gervase Markham wrote:
>
> > > I don't know what a CGI tag is, but Mozilla does not, or should not,
> > > execute anything on the local system if Javascript in Mail and News is
> > > turned off. (Is this right?)
> > > > Gerv
> >
> > I am not an expert, but this has nothing to do with JAVASCRIPT. I know
> > that cgi-tags in HTML enriched E-Mails may contain malicous code, which
> > for example sends back your E-Mail address to a third party server (this
> > requires to "click" on the the tag). All I know is "BE VARY CAREFUL WHEN
> > RECEIVING HTML ENRICHED MAILS"!
>
> Not in Mozilla. As far as I know (and I think I probably would know)
> there's no such thing as a CGI tag. And, even if there was, Mozilla takes
> (or should take) the approach of asking you before executing things on
> your behalf.
>
> Gerv
CGI is Common Gateway Interface and it is used for pages generated on
the server by a script or program that runs on the server. It is also
used for SSI, Server Side Includes, which generate portions of a web
page on the fly. There is no way for a browser to know that it is
requesting a CGI document or an SSI document. However, CGI generated
HTML is no different from static HTML at the browser end.
An exploit that is sometimes used that may depend on CGI (because CGI
can provide HTTP headers) is to send a "coded" cookie. This can happen
in email with some clients because <meta> tags can allow forcing the
load of a foreign page. This implies that some <meta> tags should be
ignored in news and mail. Note that CGI need not be involved. If the
<meta> tag works, the page loaded, even if static, can set the cookie
using a slightly modified server. Note that the cookie if seen later can
be correlated with email address. This can be done with an image load
during page load.
Chuck
Chuck
--
... The times have been,
That, when the brains were out,
the man would die. ... Macbeth
Chuck Simmons [EMAIL PROTECTED]
