Bugtraq mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: martin () FERBER-SOFTWARE DE (Manuel Martin)
Date: Tue, 8 Feb 2000 21:44:00 +0100
Hello alltogether, On Sat, 5 Feb 2000 10:52:11 -0700 Marc Slemko wrote:
2. Do not use a mail reader that forces you to display HTML messages. Using something like Outlook Express is very dangerous, since it means that you can be exploited if an email message arrives in your inbox and is displayed. If you do use something like Outlook Express, be sure to configure it to disable scripting and make it as restrictive as possible. Unfortunately, in the case of Outlook Express, this doesn't appear to be enough since I can't find any setting that will stop things like IFRAMEs from automatically loading, which are enough to make you vulnerable in many situations. Hopefully I'm missing something.
FYI (hopefully I am right): OE 5 can be configured to use one of two zone-settings for HTML-mail (internet or restricted). The zone-settings can be configured to exclude loading files in an IFRAME. This is more than many other mail-clients which show HTML offer. Bye, MM -- Manuel Martin mailto:manuel () martinnet de http://www.martinnet.de
Current thread:
- Re: Fwd: CERT Advisory CA-2000-02, (continued)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)