Bugtraq mailing list archives
Re: MS Outlook alert : Cuartango Active Setup
From: bronek () WPI COM PL (Bronek Kozicki)
Date: Tue, 9 Nov 1999 13:59:00 +0100
As far as I understand: this security hole will work when user double-click an supposedly innocent attachment, expecting that some well-known program (e.g. notepad.exe) will open it, is it right? So it will work only when user is opening an attachement, am I right? Now I'm trying to imagine similar scenario, but working just when email is opened - without opening it's attachments. Let's imagine email in HTML format, with online pictures. Pictures are saved to disk when email is opened to some temp directory, and then displayed in email window (e.g. background image). If (and this is the "IF") active script included into HTML email would access these files on disk, is it possible to execute the same "Active Setup" actions on it? This would allow to execute email attachements "masked" as GIF of JPG pictures put in HTML mail, just when email is opened. "Good Times" goes real? It's just an idea - for Juan Cuartango or Georgi Guminski or anybody else willing to verify it ... Bronek Kozicki PS sorry for my poor English
Current thread:
- flaw in dmesg under Solaris, (continued)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Remote DoS Attack in TransSoft's Broker Ftp Server v3.5 Vulnerability Ussr Labs (Nov 08)
- FreeBSD 3.3's seyon vulnerability Brock Tellier (Nov 08)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup Bronek Kozicki (Nov 09)
- Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)
- (no subject) Ejovi Nuwere (Nov 09)
- Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Ussr Labs (Nov 09)
- Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Ussr Labs (Nov 10)