Re: Outlook 98 allows spoofing internal users

[toby () PEOPLESEARCH COM AU (Toby Chamberlain)]

Howdy,

I _was_ able to reproduce the exploit to great effect... I created a
perl script to automate the process, passed it on to the office clown
and had a great time listening to the varied match-making arrangements
he set up.

The problem seems to be that Outlook (in the default setup) hides the
address part of the reply-to header when using it to create the value to
put in the "To" box of the reply. A reply-to header of "John Smith
<jsmith () work com au>" shows up as simply "John Smith" in the "To:" box
when you hit reply... but of course so does "John Smith
<merry_prankster () work com au>".  The other mail readers I tested it on
(Hotmail and Netscape Messenger) showed the reply-to header in full.

Cheers
Toby


> Hi Nate,
>
> I was not able to reproduce the exploit that you reported to the
> bugtraq mailing list. Outlook98 did exactly what I expected: when I
> open the mail, I see the "From:"-header in the message. When I reply
> to the email, Outlook takes the "Reply-To:"-address of the
> header. Which version of Outlook did you test?
>
> Best Regards, Sebastian
>
> PS: your "quick script" has a little bug: the header entry should be
>     "Reply-To:" instead of "Reply To:".