Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: gmx.net
From: Thomas Roeder <troeder () gmx-ag de>
Date: Tue, 12 Jun 2001 15:18:29 +0200

rudi carell < rudicarell () hotmail com > wrote:

like many other web-mail systems gmx.net has a problem filtering
java-script in html-based mail-messages.
[...]
the html - <img> tag can be used to embedd malicious java-scripts
within html-mails

thanks for letting us know. A workaround will go online in the next
minutes. I would like to add that we display HTML-based message
content in a special security window (called "Volldarstellung" = full
display mode) which doesn't contain the session ID of the logged in
user. Therefor it shouldn't be possible to compromise the users
account on our system by such tricks.

I agree though that it would be possible to open a relogin-trojan
which could be confusing to users with less security awareness. That's
the reason why we normally try to supress scripting code. That one
passed by us though ...


Greetings from Munich,

Thomas Roeder
GMX AG, Product Management


  By Date           By Thread  

Current thread:
  • gmx.net rudi carell (Jun 11)
    • <Possible follow-ups>
    • Re: gmx.net Thomas Roeder (Jun 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]