lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: 1 at malware.com (http-equiv@...ite.com)
Subject: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")


Friday, July 25, 2003

Active Scripting and HTML in a plain text mail message: 

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo


The above is a legitimate RFC822 mail message in plain text. 
Ordinarily one would require an html mail message [Content-Type: 
text/html;] to parse html and scripting. The above functions under a 
plain text mail message in Outlook Express 6.00 and Outlook Express 
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default 
as well as an option to read messages in plain text [use it !]. Other 
versions do not.

This was definitely fixed way back when:

[see: http://www.securityfocus.com/bid/3334 ].

It can be of interest to admins who filter based on content type at 
the gateway, as well as newsgroup operators who do the same [less so 
as comprehensive].

Notes:

1. We're working on html in the 'plain text' zone of OE6 next.
2. None.


End Call

-- 
http://www.malware.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ