TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

• Previous message: Adam D. Barratt: "MS03-029 / Q823803 breaks RAS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 25 Jul 2003 17:06:43 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Friday, July 25, 2003

Active Scripting and HTML in a plain text mail message:

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo

The above is a legitimate RFC822 mail message in plain text.
Ordinarily one would require an html mail message [Content-Type:
text/html;] to parse html and scripting. The above functions under a
plain text mail message in Outlook Express 6.00 and Outlook Express
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default
as well as an option to read messages in plain text [use it !]. Other
versions do not.

This was definitely fixed way back when:

[see: http://www.securityfocus.com/bid/3334 ].

It can be of interest to admins who filter based on content type at
the gateway, as well as newsgroup operators who do the same [less so
as comprehensive].

Notes:

1. We're working on html in the 'plain text' zone of OE6 next.
2. None.

End Call

--
http://www.malware.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Adam D. Barratt: "MS03-029 / Q823803 breaks RAS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]