At 09:35 AM 9/27/95 -0400, you wrote:
Date: Tue, 26 Sep 1995 12:59:54 -0700 From: Alan Olsen <alano@teleport.com>
You also need X windows to find the Mozilla animated icon hack on Jammie Zawinski's page. ^^^^^^
Just for the record, that's Jamie.
Hey! I never said I could type at 1am! Yes, I know. #%#$#%ing spelling flames. Grumble. Grumble. (BTW, the compass egg will show up in any page with /jwz/ in the url. The "anim" tag on his page is bogus.)
obNetscapeHack: There is a feature called a "cookie file" in Netscape that is ripe for exploitation as a security leak. If you are using a Netscape server (and you may not even need that), you can feed all sorts of information into it without the user's knowlege. I have heard of one page that overloads the cookie file until the machine runs out of drive space. I am sure that there are other exploitable holes there... Any takers?
Yikes! That sounds really bad. Do you have any more information on this? For example, can the server write to anything other than $HOME/.netscape-cookies? If I write protect that file, but it's still owned by me, will Netscape still modify it?
The url for the spec is: http://home.netscape.com/newsref/std/cookie_spec.html. The cookie overload probibly only worked under 1.1 and before. The spec claims to have limits on the number of cookies you can have. But between this and the server API, I am sure that a hole or two has to exist. This is an area not explored by many. (For good reason. It is usually poorly documented...) OBParanoia: Want something to really make you worried. Imagine this for a web page... A local law enforcement agency decides that it wants to nab a few of those "computer preverts". They create a web site that has a cgi script that looks for providers from a list. It then has a link that shows up only for people at one of those sites to "get hot porn pics". They then collect enough machine names and other info, then use the collected information to obtain a warrent to seize the ISP's logs to match users with machines. (Most browsers to not report e-mail address.) In the current hysteria I do not see this scenerio too far off. Makes you wonder what constitutes entrapment anymore? | Minister of Forced Caffinization in the DNRC | alano@teleport.com | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | | -- PGP 2.6.2 key available on request -- | behind the keyboard.| | http://www.teleport.com/~alano | <fnord> |