Mats Bergstrom wrote:
I am not technically competent to judge if his/her claim is worth reposting, but here it is, clipped from the very long Friday 13 rant, as found at Raph's index site (Subject: Bugs Bounty??...shhh... I'm huntin wa'bits... From:anonymous-remailer@shell.portal.com).
Thanks for digging this one out. I looked and didn't find it in our local spool. Alice de 'nonymous wrote:
Content-type: multipart/x-mixed-replace; boundary=ThisRandomString
--ThisRandomString Content-type: application/postscript
Data for the first object
--ThisRandomString Content-Type: multipart/parallel; boundary=ThisSecondRandomString
--ThisSecondRandomString Content-Type: application/postscript
Data for the second object
--ThisSecondRandomString Content-type: application/postscript
Deletefile Renamefile Filenameforall File
--ThisSecondRandomString--
--ThisRandomString--
I think that the foregoing explains itself without me having to draw any more maps, than is absolutely necessary. The first data object sent is application/postscript. The second object is multipart/parallel.
The above appears to be total trash: 1) Netscape does not know about multipart/parallel, and will bring up a "save as" dialog when it is encoutered. 2) The whole multipart/x-mixed-replace, multipart/parallel, server push thing is not interesting. The final part with the naughty postscript could just be the main document. 3) Netscape does not ship with a helper app configured for application/postscript. If a user configures a postscript viewer that has not had the file operations disabled as a helper app to any web browser then they are opening themselves up for a world of hurt. The same is true if they just download the file and run their viewer on it manually. The same is true if they configure /bin/sh as an external viewer. Obviously everyone should heed perry's warnings and emasculate their postscript interpreters before using them to view files of unknown origin. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.