|
|
TEXT/PLAIN: ALERT("OUTLOOK EXPRESS"): msg#00383security.bugtraq
Friday, July 25, 2003 Active Scripting and HTML in a plain text mail message: MIME-Version: 1.0 Content-Type: text/plain; Content-Transfer-Encoding: 7bit X-Source: 25.07.03 http://www.malware.com <img dynsrc=javascript:alert()><font color=red>foo The above is a legitimate RFC822 mail message in plain text. Ordinarily one would require an html mail message [Content-Type: text/html;] to parse html and scripting. The above functions under a plain text mail message in Outlook Express 6.00 and Outlook Express 5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default as well as an option to read messages in plain text [use it !]. Other versions do not. This was definitely fixed way back when: [see: http://www.securityfocus.com/bid/3334 ] And now appears to be back. It can be of interest to admins who filter based on content type at the gateway, as well as newsgroup operators who do the same [less so as comprehensive]. Notes: 1. We're working on html in the 'plain text' zone of OE6 next. 2. None. End Call -- http://www.malware.com |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | XSS in e107 website system: 00383, Pete Foster |
|---|---|
| Next by Date: | Re: Windows NT 4.0 with IBM JVM Denial of Service: 00383, Marc Schoenefeld |
| Previous by Thread: | XSS in e107 website systemi: 00383, Pete Foster |
| Next by Thread: | Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS"): 00383, Denis Jedig |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |