Full Disclosure mailing list archives

TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 25 Jul 2003 17:13:02 -0000



Friday, July 25, 2003

Active Scripting and HTML in a plain text mail message: 

MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com

<img dynsrc=javascript:alert()><font color=red>foo


The above is a legitimate RFC822 mail message in plain text. 
Ordinarily one would require an html mail message [Content-Type: 
text/html;] to parse html and scripting. The above functions under a 
plain text mail message in Outlook Express 6.00 and Outlook Express 
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default 
as well as an option to read messages in plain text [use it !]. Other 
versions do not.

This was definitely fixed way back when:

[see: http://www.securityfocus.com/bid/3334 ].

It can be of interest to admins who filter based on content type at 
the gateway, as well as newsgroup operators who do the same [less so 
as comprehensive].

Notes:

1. We're working on html in the 'plain text' zone of OE6 next.
2. None.


End Call

-- 
http://www.malware.com






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

TEXT/PLAIN: ALERT("OUTLOOK EXPRESS") http-equiv () excite com (Jul 25)
- Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS") pre (Jul 28)