Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » HTML Form protocol attack

HTML Form protocol attack

by phiber on August 18th, 2001 Some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and probably others.


By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail frim a POP3 Hmailbox.

In most situations this attack would not be considered a big problem, but it is an interesting example on how the combination of several innocuous and seemingly totally unrelated protocol features can be used to mount an attack.


- A paper describing this "HTML Form Protocol Attack" is available at

http://www.remote.org/jochen/sec/hfpa/index.html


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »