Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: Michal Szokolo <msz () kill-spammers pmp com pl>
Date: Sun, 24 Jun 2001 03:02:33 +0100

John Percival wrote:

I'm going to try and throw another issue into this discussion now too:
denial of service. We have discussed it for attacking remote servers, but
not for the client viewing the image. It's something else that I spotted
while I was playing around with this issue just now.

If you have images that include a mailto:me () my host somewhere com source,
then the default handler for mailto: links is opened up. Be that Outlook,
Netscape Composer, Eudora, or whatever else you care to use.

So if someone embedded 100 (arbitrary figure) mailto: images in a page, then
this would do a lot of harm to the user's computer. At best, it would get
very busy for a few minutes creating new emails, and would be a pain to
clear up. At worst, it could bring the whole system crashing down.

Netscape 4.77 crashes at about 50 such IMG tags, IF they are different
(simply putting mailto:fakeluser () fakedomain 100 times won't work (opens
only 2 message windows)), but if you go with some script... instant
crash (try it now free of charge at http://msz.pmp.com.pl/boom/ ;-)).

I'm an ugly boy            | Nie wchodzic na http://msz.pmp.com.pl/
My face makes you hurl     | REKLAMY:
I'm a relation             |    Dla snobow: http://www.filharmonia.pl/
To Frankenstein's creation | Wypij za mnie: http://www.fws.pl/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]