Vulnerability Development mailing list archives
Re: jump2.eudora.com
From: Brian McWilliams <brian () PC-RADIO COM>
Date: Sat, 2 Sep 2000 21:10:53 -0400
Try this for what seems to be a quick fix to this problem: http://www.eudora.com/techsupport/kb/2111hq.html Brian |-----Original Message----- |From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of |Bluefish (P.Magnusson) |Sent: Thursday, August 31, 2000 7:10 AM |To: VULN-DEV () SECURITYFOCUS COM |Subject: Re: jump2.eudora.com | | |> |http://jump2.eudora.com/jump.cgi?action=update&platform=Windows98v. |04.10.222 |> 2&product=Eudora&version=3.1.1. | |Uhm.. rather nice page really.... *but*... | |CITE |http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=ex e|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs| |To update your copy of Eudora to include the latest list of potentially |dangerous attachment types, click here and hit OK in the dialog that |follows. |END CITE | |Any one experimented with creating a link such as: |http://jump.eudora.com/live/x-Eudora-option:WarnLaunchExtensions=bmp| | |>From what I gather, jump.eudora.com gives exactly the same response - can |this be abused? Is this problem only present on servers |which resolves to jump.eudora.com or will ANY server be able to supply |eudora with the specified A-tag (<a |href="x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm| |do|xl|reg|lnk|vbs|">click |here</a>) be able to make Eudora do things? | |http://www.eudora.com/security.html |has some comment on these options, but they don't really spell much out. | |Personly, I'm having the feeling that Eudora leaves to much features |without easy to find documentation of them, and that in turn makes me a |bit paranoid as to weather it is has a reasonably secure design. Trying |not to get in a flame war over what to use etc, but I wouldn't feel safe |using it. | |..:::::::::::::::::::::::::::::::::::::::::::::::::.. | http://www.11a.nu || http://bluefish.11a.nu | eleventh alliance development & security team |
Current thread:
- Re: jump2.eudora.com Brian McWilliams (Sep 03)
- <Possible follow-ups>
- Re: jump2.eudora.com Lincoln Yeoh (Sep 04)