[13846] in bugtraq
Re: 'cross site scripting' CERT advisory and MS
daemon@ATHENA.MIT.EDU (Rishi Lee Khan)
Tue Feb 15 16:49:56 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.4.05.10002142054070.26838-100000@copland.udel.edu>
Date: Mon, 14 Feb 2000 20:57:25 -0500
Reply-To: Rishi Lee Khan <rishi@UDEL.EDU>
From: Rishi Lee Khan <rishi@UDEL.EDU>
X-To: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.20.0002101407340.357-100000@alive.znep.com>
There is an easy way to open a web page using and email client using HTML
parsing ... simply put in the <head> tag <meta http-equiv="REFRESH"
content="0;URL=http://www.yourpagehere.com">
-Rishi
Marc Slemko wrote:
> Also note that if there is any way to get Outlook Express to open a new IE
> window with a document in automatically when it loads an email, then you
> would be vulnerable if you only disabled scripting, etc. for mail and not
> for "normal" web access. Is there a way to do this? I don't know of any.
> But again, things are complex enough that I'm quite unwilling to say there
> is no way to do it.
>
> So while disabling all the "features" that you can when reading HTML mail
> is definitely recommended and protects you against a lot of attacks, it is
> not a complete solution. I seriously doubt that all the ways of
> exploiting this issue without using scripting languages have been
> discovered.
>
> Not that I have seen anyone publicly posting exploits that do things in
> any of these ways (or any other way...), which I find odd, since there are
> lots of vulnerable sites out there, and some vulnerabilities that are
> pretty serious.
>
