Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

From: <http-equiv_at_excite.com>
Date: Fri, 25 Jul 2003 17:42:36 -0000

Friday, July 25, 2003

Active Scripting and HTML in a plain text mail message:

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo

The above is a legitimate RFC822 mail message in plain text.
Ordinarily one would require an html mail message [Content-Type:
text/html;] to parse html and scripting. The above functions under a
plain text mail message in Outlook Express 6.00 and Outlook Express
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default
as well as an option to read messages in plain text [use it !]. Other
versions do not.

This was definitely fixed way back when:

[see: http://www.securityfocus.com/bid/3334 ]

And now appears to be back.

It can be of interest to admins who filter based on content type at
the gateway, as well as newsgroup operators who do the same [less so
as comprehensive].

Notes:

1. We're working on html in the 'plain text' zone of OE6 next.
2. None.

End Call 

-- 
http://www.malware.com
Received on Jul 25 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]