Bugtraq mailing list archives
Re: Web Application Security Survey
From: Anil Madhavapeddy <anil () RECOIL ORG>
Date: Sat, 2 Sep 2000 01:01:16 +00100
Quoting D-Krypt <dkrypt () YAHOO COM>:
-Web Application Security Survey- Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all currently vulnerable to web based attack.
We've had some queries to the Horde/IMP (a popular GPL'ed webmail client) list about its security following advisories like the above. Just to confirm that IMP-2.2.0 is shipped secure by default, with inline-HTML viewing capability disabled. Users are warned clearly in the configuration file about the dangers of inline viewing, and we make a pretty good effort to strip out all javascript code from the message before displaying it. However, this is not to be relied on, so enable the inlining at your own risk! Feel free to inspect the code (in horde/imp/lib/mimetypes.lib) and point out any problems or holes in it, so we can continue to improve security in our ongoing development branches. IMP's homepage is http://horde.org/imp/ , and the mailing lists are at http://horde.org/mail/ Regards, -- Anil Madhavapeddy, <anil () recoil org>
Current thread:
- Re: Web Application Security Survey Anil Madhavapeddy (Sep 02)