[13863] in bugtraq
Re: 'cross site scripting' CERT advisory and MS
daemon@ATHENA.MIT.EDU (David LeBlanc)
Thu Feb 17 01:29:15 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.20000216093956.0382c200@mail.mindspring.com>
Date: Wed, 16 Feb 2000 09:39:56 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Rishi Lee Khan <rishi@UDEL.EDU>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.4.05.10002142054070.26838-100000@copland.udel.edu >
I wanted to reply to this, and make a clarification -
At 08:57 PM 2/14/00 -0500, Rishi Lee Khan wrote:
>There is an easy way to open a web page using and email client using HTML
>parsing ... simply put in the <head> tag <meta http-equiv="REFRESH"
>content="0;URL=http://www.yourpagehere.com">
Tried it, and it doesn't seem to work. Created an HTML mail with this
embedded, opened it in Outlook, and no refresh. Did a Save As to dump it
out to file, opened it with IE, got the refresh. I'm not saying it can't
be made to work, but I can't do it, and it seems like a decent test, since
I am getting it to refresh in IE.
>Marc Slemko wrote:
>> So while disabling all the "features" that you can when reading HTML mail
>> is definitely recommended and protects you against a lot of attacks, it is
>> not a complete solution. I seriously doubt that all the ways of
>> exploiting this issue without using scripting languages have been
>> discovered.
Now for the clarification:
I am NOT trying to solve the general problem of all the bad things that
either can happen, or are theoretically possible once you plug in the
network cable. I am trying to solve the specific problem of cross-site
scripting attacks being delivered by e-mail.
What I recommend specifically for using Outlook (probably also applies to
other mail readers using IE as a HTML viewer) is:
1) Set it to run in the Restricted Sites zone
2) Edit the Restricted Sites zone into what I call maximum paranoia mode -
turn EVERYTHING off. IIRC, cookies are off to begin with, but this gets
them turned off for sure.
Am I now saying that if you do this, you're safe? Absolutely not. You're
never safe. A meteorite could come through the roof, or you could get hit
with an evil bug that isn't publicly known yet. Anything can happen. No
one expects the Spanish Inquisition! I _am_ saying that there are a whole
bunch of things that I _know_ can get you that now won't get you.
Am I saying that HTML mail is a great idea, and that applying these
settings makes it all safe and cozy? To quote Marc, "NO, NO, NO!!!" IMHO,
it isn't a great idea, but lots of people use it, and I can't turn it off
in the mail reader I use at work, so I think these settings make it a much
more reasonable risk.
Speaking of which, there are still 3 things that I know of to worry about:
1) Embedded URLs in HTML mail - these will invoke the browser IF you click
on them, and the effect will depend on a lot of other issues. You're also
now most likely running in the Internet zone, so different settings apply.
Personally, I take a look at them before clicking on them, or just type
them in.
2) HTML attachments - these aren't governed by the mail reader, but by the
browser. Make the browser settings you think are appropriate.
3) Things I don't know about. No telling what sort of nastiness is lurking
out there. Definately worry about this one. I don't think security
problems on the Internet are a passing phase - we're all in for a wild ride.
David LeBlanc
dleblanc@mindspring.com
