|
|
|
 |
|
Show printable version |
Send this article to a friend |
|
|
| Posted by: Phiber on Februrary 16, 2001 |
Any html or javascript included in a GSM SMS (short message service) message, sent or
recieved, will
be activated when a person enters the page with the message on it (Inbox
or Outbox).... |
|
|
<b>Impact - spamming</b>
I haven´t tested this, but in theory it is possible for spammers with a SMS spam program to send messages, including the meta refresh code, to all of the users of mtnsms.com. The result would be that when a member enters their inbox he or she will directly be sent to the website chosen by the spammer. It will also be very difficult, specially if a high speed connection is used, to remove the spam for the user.
<b>Impact - individual/mass sabotage</b>
Instead of spamming, the sender could include malicious code in the message causing the browser to crash or the computer to freeze. One method is to include the meta refresh code, sending a member
to a webpage with, for example, the "Self Referenced Frames Crash" which affects various o/s and/or the "Invalid WAVE Crash" (Bugtraq June 1999).
<b>Impact - sender generated</b>
The really annoying part when it comes to security is that the users themselves often cause more
problems then outside attackers. This is the issue here as well. If a user sends a message containing
code, the code will activate when the users visits the Outbox page.
<font size="1"><center>Contributed by Thomas Sjorgen on a Bugtraq mailing list</center></font> |
 |
|
|
|
|
Show printable version |
Send this article to a friend
|
|
|
|
|
| |
