Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Web Application Security Survey
From: Anil Madhavapeddy <anil () RECOIL ORG>
Date: Sat, 2 Sep 2000 01:01:16 +00100

Quoting D-Krypt <dkrypt () YAHOO COM>:

-Web Application Security Survey-
Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos
Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all
currently vulnerable to web based attack.


We've had some queries to the Horde/IMP (a popular GPL'ed webmail
client) list about its security following advisories like the
above.

Just to confirm that IMP-2.2.0 is shipped secure by default, with
inline-HTML viewing capability disabled.

Users are warned clearly in the configuration file about the
dangers of inline viewing, and we make a pretty good effort to
strip out all javascript code from the message before displaying it.
However, this is not to be relied on, so enable the inlining
at your own risk!

Feel free to inspect the code (in horde/imp/lib/mimetypes.lib)
and point out any problems or holes in it, so we can continue to
improve security in our ongoing development branches.

IMP's homepage is http://horde.org/imp/ , and the mailing lists
are at http://horde.org/mail/

Regards,

--
Anil Madhavapeddy, <anil () recoil org>


  By Date           By Thread  

Current thread:
  • Re: Web Application Security Survey Anil Madhavapeddy (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]