lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1059385008.3f24eeb00d9e7@www.geekgang.co.uk>
From: pre at geekgang.co.uk (pre)
Subject: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

Quoting "http-equiv@...ite.com" <1@...ware.com>:

> 
> Friday, July 25, 2003
> 
> Active Scripting and HTML in a plain text mail message: 
> 
> MIME-Version: 1.0
> Content-Type: text/plain;
> Content-Transfer-Encoding: 7bit
> X-Source: 25.07.03 http://www.malware.com
> 
> <img dynsrc=javascript:alert()><font color=red>foo
> 

This is a well known issue in IE, and hence Outlook.

It's a well known security hole that Microsoft has refused or is unable to
fix.

I (and others) have reported this issue over the last few years. MS acknowledge
the problem but will not fix it.

Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt

When I last tested this, the Finjan Surfingate web filtering software correctly
filtered this out (for web browsing, obviously).

I tested this again last week with a fully patched IE 6 on WinXP and it is still
vulnerable.

.pre

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ