Re: The Dangers of Email Archives

[zeno <bugtraq () cgisecurity net>]

You have to admit the distributed factor on this as compared to message board or guestbook
hacking is much greater. You figure if 5 million sites archive email maybe 800,000 run effected software. 10 people 
visit a message with nasty javascript on it on each site. The numbers
can get rather large...

Also the SSI factor could cause alot of headache's if its enabled, and the tags
aren't stripped.

- zeno


> >  While this product itself doesn't have a hole in it; it is 
> > often used to help
> >  to translate mail for other archiving software. I've seen in 
> > some examples
> >  that email was translated with this tool and archived with 
> > other software, and html
> >  tags where translated/executed as normal..
>
> There are lots of reasonably similar flaws.  I scared the ****
> out of myself when I got a javascript error while reading the
> Nimda analysis posted to securityfocus.com.
>
> Parts were generated by just putting <pre> around the relevant
> code from Nimda, but IE is more than happy to interpret <script>
> within <pre>, which caused me to worry that the securityfocus.com
> page had been rewritten by Nimda, until I looked a bit closer.
>
> Be very, very careful how you deal with converting text to html and back.
>
> Tim Hollebeek
> Research Scientist
> Cigital Labs