[13755] in bugtraq
Re: recent 'cross site scripting' CERT advisory
daemon@ATHENA.MIT.EDU (Manuel Martin)
Wed Feb 9 01:24:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <38A0801096.B973MARTIN@mail.egge.net>
Date: Tue, 8 Feb 2000 21:44:00 +0100
Reply-To: Manuel Martin <martin@FERBER-SOFTWARE.DE>
From: Manuel Martin <martin@FERBER-SOFTWARE.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.20.0002050945240.80647-100000@alive.znep.com>
Hello alltogether,
On Sat, 5 Feb 2000 10:52:11 -0700 Marc Slemko wrote:
> 2. Do not use a mail reader that forces you to display HTML messages.
> Using something like Outlook Express is very dangerous, since it
> means that you can be exploited if an email message arrives in your
> inbox and is displayed. If you do use something like Outlook
> Express, be sure to configure it to disable scripting and make it
> as restrictive as possible. Unfortunately, in the case of Outlook
> Express, this doesn't appear to be enough since I can't find any
> setting that will stop things like IFRAMEs from automatically
> loading, which are enough to make you vulnerable in many situations.
> Hopefully I'm missing something.
FYI (hopefully I am right): OE 5 can be configured to use one of two
zone-settings for HTML-mail (internet or restricted). The zone-settings
can be configured to exclude loading files in an IFRAME. This is more
than many other mail-clients which show HTML offer.
Bye, MM
--
Manuel Martin
mailto:manuel@martinnet.de
http://www.martinnet.de
