Vulnerability Development mailing list archives
Re: Outlook HTML VBS (demo)
From: dphull () MAIL UKANS EDU (Hull, Dave)
Date: Mon, 22 May 2000 10:21:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pardon my ignorance, but is it really possible to include dangerous exploits in messages using VBS, Javascript and the like? Popup messages are one thing, but I/O to disk is quite another. Is this really a VBS call? It looks suspiciously like the alert() function found in Javascript. I was working several months ago on a project and thought I might be able to use Javascript via a web page to pull stats from a user's computer like size of HDD, amount of available disk space, etc. and my admittedly shallow research led me to believe that it was not possible to use Javascript for such tasks. Granted, I don't know the language so could someone set me straight. Thanks. Dave Hull, Senior Information Technology Analyst LAN Support Services, University of Kansas gpg key-> http://insipid.cc.ukans.edu/dphull/pubkey.html - -----Original Message----- From: Masial [mailto:mrousseau () SECURED ORG] Sent: Sunday, May 21, 2000 5:42 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Outlook HTML VBS (demo) The easy way is to build the HTML in notepad with the scripts in it then open the html doc with Word and send the eMail using the little eMail button in word. As you can see, this eMail message would pop a box on a vulnerable outlook and not on those who don't allow scripting. The only function in this demo is an alert() box but it could be pretty much anything. M.
-----Original Message----- From: VULN-DEV List [ mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Joerg Weber Sent: Sunday, May 21, 2000 12:28 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Outlook, HTML & VBS BB, Everyone, this certainly is a lame question but Outlook isn't exactly my speciality :) I'm trying to embedd a script into a mail that pops up a MsgBox telling the user (s)he is vulnerable to vbs-scripting virii. Now, attaching this is sorta lame. So I'm trying to have Outlook execute the script when the message is read. Could someone explain how you create arbitrary HTML code so Outlook renders/executes it? I've that far just been able to use Outlooks build-in formating features. Thanks everyone! Joerg
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOSlRbhTf9Weyc+/pEQJFxwCgz4e9x+yrwQc++6b/eV/qei9deSwAoOMB WToxfLBEE6tTvi2mY+ehZsZD =WPIt -----END PGP SIGNATURE-----
Current thread:
- Re: Outlook HTML VBS (demo) Masial (May 21)
- Re: Outlook HTML VBS (demo) Jason Brown (May 21)
- Re: Outlook HTML VBS (demo) Blue Boar (May 21)
- Re: Outlook HTML VBS (demo) PCbob - Slobodan miskoviC (May 21)
- Vs: Re: Outlook HTML VBS (demo) Marko Ernvall (May 22)
- Re: Outlook HTML VBS (demo) Bluefish (May 22)
- Re: Outlook HTML VBS (demo) PCbob - Slobodan miskoviC (May 21)
- <Possible follow-ups>
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brian S. DuRoss (May 27)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brad Spengler (May 29)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Mikael Olsson (May 28)