Bugtraq mailing list archives
'cross site scripting' CERT advisory and MS
From: vinylone () USWEST NET (Eric Lecht)
Date: Tue, 8 Feb 2000 06:39:28 -0700
Mark Slemko wrote:
2. Do not use a mail reader that forces you to display HTML messages.
Using something like Outlook Express is very dangerous, since it means that you can be exploited if an email message arrives in your inbox and is displayed. If you do use something like Outlook Express, be sure to configure it to disable scripting and make it as restrictive as possible. Unfortunately, in the case of Outlook Express, this doesn't appear to be enough since I can't find any setting that will stop things like IFRAMEs from automatically loading, which are enough to make you vulnerable in many situations. Hopefully I'm missing something.<<< I wrote Microsoft a few days ago asking about shutting off HTML in Outlook Express, and here's what they wrote back:
CASE_ID_NUM: SRZ000203000844
MESSAGE: ********************** The message for you follows ************************ Eric, I am afraid that inbound functionality for turning off html code is not possible in Internet Explorer as default. There is no pure "html" to "text" converter or selection within the application. It is unfortunate, I know, and I am sorry to have to deliver this message to you. I have however, passed your issue along to members of our development staff for that feature to be included in future revisions. The very question you ask is being considered at the most critical levels of our development process. The current conventional logic behind why we do not have a html to text converter is the overhead that would be placed on the machine, browser and email app that would seriously hinder performance. I appreciate the your time and patience while I have researched your question. I will be archiving this issue as unresolved. If you have any questions, please contact me. Thank you in advance, harryb Harry Bynum North Carolina Desktop Premier Support Team IE,IEAK,Win 9x/3.x! Phone:704-XXX-XXXX Email: hXXX () microsoft com Powering Up the Desktop! <<<< The gentleman who responded to my query did so promptly, and from what I gather from his wording (I am afraid that inbound functionality for turning off html code is not possible in Internet Explorer as default.) I would hazard that OE is inexorably tied to IE (ok, i'm not a programmer, just hazarding a guess...) just like IE has deep hooks into Windows itself, hence the inability to _disable_ reading html in basic email. In fact I had limited my inquiry to turning HTML off in OE. FYI.... Eric Lecht Network Analyst State of Idaho Dept. of Administration "I do what I can, I work in the dark".
Current thread:
- Re: Tempfile vulnerabilities, (continued)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 02)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)