Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

Quoting Denis Jedig <seclists@xxxxxxxxxxxx>:

> http-equiv@xxxxxxxxxx wrote:
> > Content-Type: text/plain;
> > [...]
> > <img dynsrc=javascript:alert()><font color=red>foo
> > 
> > The above is a legitimate RFC822 mail message in plain text. 
> > Ordinarily one would require an html mail message [Content-Type: 
> > text/html;] to parse html and scripting. 
> 
> Internet Explorer seems to take no offense on Content-Types either - 
> text/plain from a web server is happily rendered as HTML, if it contains 
> valid tags.
> 

Yes, it's a well known security hole that Microsoft has refused or is unable to 
fix.

I (and others) have reported this issue over the last few years. MS acknowledge
the problem but will not fix it.

Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt

I recommend against using IE and Outlook in any kind of sensitive environment.

.pre