[10444] in bugtraq
Re: Outlook 98 allows spoofing internal users
daemon@ATHENA.MIT.EDU (Toby Chamberlain)
Thu May 6 13:58:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <372F993F.8474A805@peoplesearch.com.au>
Date: Wed, 5 May 1999 11:05:03 +1000
Reply-To: Toby Chamberlain <toby@PEOPLESEARCH.COM.AU>
From: Toby Chamberlain <toby@PEOPLESEARCH.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
Howdy,
I _was_ able to reproduce the exploit to great effect... I created a
perl script to automate the process, passed it on to the office clown
and had a great time listening to the varied match-making arrangements
he set up.
The problem seems to be that Outlook (in the default setup) hides the
address part of the reply-to header when using it to create the value to
put in the "To" box of the reply. A reply-to header of "John Smith
<jsmith@work.com.au>" shows up as simply "John Smith" in the "To:" box
when you hit reply... but of course so does "John Smith
<merry_prankster@work.com.au>". The other mail readers I tested it on
(Hotmail and Netscape Messenger) showed the reply-to header in full.
Cheers
Toby
>Hi Nate,
>
>I was not able to reproduce the exploit that you reported to the
>bugtraq mailing list. Outlook98 did exactly what I expected: when I
>open the mail, I see the "From:"-header in the message. When I reply
>to the email, Outlook takes the "Reply-To:"-address of the
>header. Which version of Outlook did you test?
>
>Best Regards, Sebastian
>
>PS: your "quick script" has a little bug: the header entry should be
> "Reply-To:" instead of "Reply To:".
