Bugtraq mailing list archives
Re: 'cross site scripting' CERT advisory and MS
From: rishi () UDEL EDU (Rishi Lee Khan)
Date: Mon, 14 Feb 2000 20:57:25 -0500
There is an easy way to open a web page using and email client using HTML parsing ... simply put in the <head> tag <meta http-equiv="REFRESH" content="0;URL=http://www.yourpagehere.com"> -Rishi Marc Slemko wrote:
Also note that if there is any way to get Outlook Express to open a new IE window with a document in automatically when it loads an email, then you would be vulnerable if you only disabled scripting, etc. for mail and not for "normal" web access. Is there a way to do this? I don't know of any. But again, things are complex enough that I'm quite unwilling to say there is no way to do it. So while disabling all the "features" that you can when reading HTML mail is definitely recommended and protects you against a lot of attacks, it is not a complete solution. I seriously doubt that all the ways of exploiting this issue without using scripting languages have been discovered. Not that I have seen anyone publicly posting exploits that do things in any of these ways (or any other way...), which I find odd, since there are lots of vulnerable sites out there, and some vulnerabilities that are pretty serious.
Current thread:
- Re: Evil Cookies., (continued)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)
- DDOS Attack Mitigation Elias Levy (Feb 11)
- TESO - Nameserver traffic amplify and NS route discovery Sebastian (Feb 12)
- Re: DDOS Attack Mitigation Darren Reed (Feb 13)
- Re: DDOS Attack Mitigation Alan Brown (Feb 14)