mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: martin () FERBER-SOFTWARE DE (Manuel Martin)
Date: Tue, 8 Feb 2000 21:44:00 +0100
On Sat, 5 Feb 2000 10:52:11 -0700 Marc Slemko wrote:
2. Do not use a mail reader that forces you to display HTML messages.
Using something like Outlook Express is very dangerous, since it
means that you can be exploited if an email message arrives in your
inbox and is displayed. If you do use something like Outlook
Express, be sure to configure it to disable scripting and make it
as restrictive as possible. Unfortunately, in the case of Outlook
Express, this doesn't appear to be enough since I can't find any
setting that will stop things like IFRAMEs from automatically
loading, which are enough to make you vulnerable in many situations.
Hopefully I'm missing something.
FYI (hopefully I am right): OE 5 can be configured to use one of two
zone-settings for HTML-mail (internet or restricted). The zone-settings
can be configured to exclude loading files in an IFRAME. This is more
than many other mail-clients which show HTML offer.
mailto:manuel () martinnet de