Vulnerability Development mailing list archives
Re: jump2.eudora.com
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 31 Aug 2000 13:10:11 +0200
http://jump2.eudora.com/jump.cgi?action=update&platform=Windows98v.04.10.222 2&product=Eudora&version=3.1.1.
Uhm.. rather nice page really.... *but*... CITE http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs| To update your copy of Eudora to include the latest list of potentially dangerous attachment types, click here and hit OK in the dialog that follows. END CITE Any one experimented with creating a link such as: http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=bmp|
From what I gather, jump.eudora.com gives exactly the same response - can
this be abused? Is this problem only present on servers which resolves to jump.eudora.com or will ANY server be able to supply eudora with the specified A-tag (<a href="x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|">click here</a>) be able to make Eudora do things? http://www.eudora.com/security.html has some comment on these options, but they don't really spell much out. Personly, I'm having the feeling that Eudora leaves to much features without easy to find documentation of them, and that in turn makes me a bit paranoid as to weather it is has a reasonably secure design. Trying not to get in a flame war over what to use etc, but I wouldn't feel safe using it. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: jump2.eudora.com, (continued)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)
- Re: jump2.eudora.com Schlachter, Jake (Aug 28)
- Re: jump2.eudora.com Robert G. Ferrell (Aug 28)
- Re: jump2.eudora.com Perry Anton (Aug 28)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Dragos Ruiu (Aug 28)
- Re: jump2.eudora.com Jonathan Rickman (Aug 28)
- Re: jump2.eudora.com Blair Strang (Aug 28)
- Re: jump2.eudora.com Wolfgang Gassner (Aug 29)
- Re: jump2.eudora.com Laumann, Dave (Aug 30)
- Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 31)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)