Re: jump2.eudora.com

["Bluefish (P.Magnusson)" <11a () GMX NET>]

> http://jump2.eudora.com/jump.cgi?action=update&platform=Windows98v.04.10.222
> 2&product=Eudora&version=3.1.1.

Uhm.. rather nice page really.... *but*...

CITE
http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|
To update your copy of Eudora to include the latest list of potentially
dangerous attachment types, click here and hit OK in the dialog that
follows.
END CITE

Any one experimented with creating a link such as:
http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=bmp|

> From what I gather, jump.eudora.com gives exactly the same response - can
this be abused? Is this problem only present on servers
which resolves to jump.eudora.com or will ANY server be able to supply
eudora with the specified A-tag (<a
href="x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|">click
here</a>) be able to make Eudora do things?

http://www.eudora.com/security.html
has some comment on these options, but they don't really spell much out.

Personly, I'm having the feeling that Eudora leaves to much features
without easy to find documentation of them, and that in turn makes me a
bit paranoid as to weather it is has a reasonably secure design. Trying
not to get in a flame war over what to use etc, but I wouldn't feel safe
using it.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team