Vulnwatch mailing list archives
TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 25 Jul 2003 17:12:33 -0000
Friday, July 25, 2003 Active Scripting and HTML in a plain text mail message: MIME-Version: 1.0 Content-Type: text/plain; Content-Transfer-Encoding: 7bit X-Source: 25.07.03 http://www.malware.com <img dynsrc=javascript:alert()><font color=red>foo The above is a legitimate RFC822 mail message in plain text. Ordinarily one would require an html mail message [Content-Type: text/html;] to parse html and scripting. The above functions under a plain text mail message in Outlook Express 6.00 and Outlook Express 5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default as well as an option to read messages in plain text [use it !]. Other versions do not. This was definitely fixed way back when: [see: http://www.securityfocus.com/bid/3334 ]. It can be of interest to admins who filter based on content type at the gateway, as well as newsgroup operators who do the same [less so as comprehensive]. Notes: 1. We're working on html in the 'plain text' zone of OE6 next. 2. None. End Call -- http://www.malware.com
Current thread:
- TEXT/PLAIN: ALERT("OUTLOOK EXPRESS") http-equiv () excite com (Jul 25)