OK let's say you have a copyrighted site and you've asked users not to make
hardcopys of your highly specialized information. But someone prints it anyway.
You can arrange to scold them by making your URLs look something like this:
http://example.com/yoururl/test.cgi?"><H1>Copyright Violation
When loaded in the browser the page looks normal, but when printed, the large
message "Copyright Violation" appears at the top of the first page.
For this to work the user must have the Header set to &u in the Page Setup
dialog. Tested on MSIE 4 on NT SP4 but suppose other versions may do the same.
Apparently IE is parsing and obeying HTML that appears in the URL itself when it
prints the URL heading on the page. Some questions arise... Can you do other
things, not just <H1>? Would IE run this HTML in the context of your site or in
the context of the local file system?? So far these questions are unanswered
thus the post to vuln-dev to see what others may discover.
Note: you don't have to have the "test.cgi" and all that for this to work. That
merely illustrates how these "special" URLs can be created yet not interfere
with the normal functioning of your site. The key portion seems to be the ">
followed by HTML, such as:
http://example.com/"><H1>lusermessage
===============================================================
It is not only [a juror's] right, but his duty... to find the
verdict according to his own best understanding, judgement,
and conscience, though in direct opposition to the direction
of the court.
-- John Adams
I consider trial by jury as the only anchor yet imagined,
by which a government can be held to the principles of its
constitution.
-- Thomas Jefferson
Received on Dec 24 1999
Intro
