Bugtraq mailing list archives
Re: gmx.net
From: Thomas Roeder <troeder () gmx-ag de>
Date: Tue, 12 Jun 2001 15:18:29 +0200
rudi carell < rudicarell () hotmail com > wrote:
like many other web-mail systems gmx.net has a problem filtering java-script in html-based mail-messages.
[...]
the html - <img> tag can be used to embedd malicious java-scripts within html-mails
thanks for letting us know. A workaround will go online in the next minutes. I would like to add that we display HTML-based message content in a special security window (called "Volldarstellung" = full display mode) which doesn't contain the session ID of the logged in user. Therefor it shouldn't be possible to compromise the users account on our system by such tricks. I agree though that it would be possible to open a relogin-trojan which could be confusing to users with less security awareness. That's the reason why we normally try to supress scripting code. That one passed by us though ... Greetings from Munich, Thomas Roeder GMX AG, Product Management
Current thread:
- gmx.net rudi carell (Jun 11)
- <Possible follow-ups>
- Re: gmx.net Thomas Roeder (Jun 12)