Bugtraq mailing list archives
Re: 'cross site scripting' CERT advisory and MS
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Thu, 10 Feb 2000 09:09:09 -0800
After a bit of dinking in vi, I removed the HTML, AND got it properly indented for response, so...
Mark Slemko wrote:2. Do not use a mail reader that forces you to display HTML messages.Using something like Outlook Express is very dangerous, since it means that you can be exploited if an email message arrives in your inbox and is displayed.
This is overkill. The problem is scripting, not HTML, which are really seperate issues.
If you do use something like Outlook Express, be sure to configure it to disable scripting and make it as restrictive as possible.
The way to do this is to open the security tab, choose to run messages in the 'untrusted sites' zone, and then configure that zone to run no script at all. Russ Cooper has a nice write-up of all this at http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=56
Unfortunately, in the case of Outlook Express, this doesn't appear to be enough since I can't find any setting that will stop things like IFRAMEs from automatically loading, which are enough to make you vulnerable in many situations.
I don't know if this can be done, but disabling scripting for e-mail entirely should be enough.
Hopefully I'm missing something.<<<
If I'm missing something, please let me know.
I wrote Microsoft a few days ago asking about shutting off HTML in Outlook Express, and here's what they wrote back:
To the best of my understanding of this very complex problem, HTML without script isn't going to get you. Script will get you, and you can turn that off. When I do use outlook, I've been running it with scripting turned off for quite some time and have noticed no loss of functionality, other than when David Litchfield sends me mail to test one of his latest findings, it doesn't work 8-)
The gentleman who responded to my query did so promptly, and from what I gather from his wording (I am afraid that inbound functionality for turning off html code is not possible in Internet Explorer as default.)
I don't think you can, though you _can_ toggle between HTML, text, and rich text, which would have saved me a few moments getting the HTML out of _this_ message if I were using it now.
I would hazard that OE is inexorably tied to IE (ok, i'm not a programmer, just hazarding a guess...) just like IE has deep hooks into Windows itself, hence the inability to _disable_ reading html in basic email. In fact I had limited my inquiry to turning HTML off in OE.
It uses IE as an HTML viewer, as do many applications. However, if you'd have asked how to turn off scripting, they should have been able to answer, and I believe that's all you need to do to make your e-mail safe. IMHO, the worst problem is with using the browser, since too many sites use some form of scripting (like www.securityfocus.com), and you can't turn it completely off without losing the ability to do a lot of things. David LeBlanc dleblanc () mindspring com
Current thread:
- Evil Cookies., (continued)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)
- DDOS Attack Mitigation Elias Levy (Feb 11)
- TESO - Nameserver traffic amplify and NS route discovery Sebastian (Feb 12)