<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

Bugtraq: Re: Microsoft Word Email Object Data Vulnerability

Re: Microsoft Word Email Object Data Vulnerability

From: <http-equiv_at_excite.com>
Date: Fri, 9 Jul 2004 18:13:48 -0000

<!--

Outlook 2000 and 2003 allow execution of remote web pages
specified within the data property of OBJECT tags when there is
no closing /OBJECT

-->

This reminds me of something I saw the other day. The following
and a variety of variations will work in Outlook Express
[probably IE as well]:

<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif" /div>
</BODY></HTML></OBJECT></BODY></HTML>

It hasn't been thoroughly explored but for filtering of html
email it might prove interesting.

note: it cannot be sent from Outlook Express as it will correct
the tags. Use something else.

It was originally noticed in IE like so:

<iframe src=http://www.malware.com

<img>

-- 
http://www.malware.com

Received on Jul 09 2004

This message: [ Message body ]
Next message: Eric McCarty: "RE: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]"
Previous message: Tom Spencer: "Re: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]"
Maybe in reply to: James C. Slora, Jr.: "Microsoft Word Email Object Data Vulnerability"
Next in thread: Drew Copley: "RE: Microsoft Word Email Object Data Vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]