Bugtraq mailing list archives
Re: Microsoft Word Email Object Data Vulnerability
From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 9 Jul 2004 18:13:48 -0000
<!-- Outlook 2000 and 2003 allow execution of remote web pages specified within the data property of OBJECT tags when there is no closing /OBJECT --> This reminds me of something I saw the other day. The following and a variety of variations will work in Outlook Express [probably IE as well]: <BODY> <img <div src="http://www.malware.com/images/mwheader.gif"; /div> </BODY></HTML></OBJECT></BODY></HTML> It hasn't been thoroughly explored but for filtering of html email it might prove interesting. note: it cannot be sent from Outlook Express as it will correct the tags. Use something else. It was originally noticed in IE like so: <iframe src=http://www.malware.com <img> -- http://www.malware.com
![http://www.malware.com/images/mwheader.gif"](http://www.malware.com/images/mwheader.gif"){kind=link}
Current thread:
- Microsoft Word Email Object Data Vulnerability James C. Slora, Jr. (Jul 09)
- <Possible follow-ups>
- Re: Microsoft Word Email Object Data Vulnerability http-equiv () excite com (Jul 09)
- RE: Microsoft Word Email Object Data Vulnerability Drew Copley (Jul 09)