[35656] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Microsoft Word Email Object Data Vulnerability

daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Fri Jul 9 20:42:19 2004

Message-Id: <200407091813.i69IDmh9019913@web129.megawebservers.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 9 Jul 2004 18:13:48 -0000
From: "http-equiv@excite.com" <1@malware.com>
Reply-To: 1@malware.com

 <!--

Outlook 2000 and 2003 allow execution of remote web pages 
specified within the data property of OBJECT tags when there is 
no closing /OBJECT

 -->

This reminds me of something I saw the other day. The following 
and a variety of variations will work in Outlook Express
[probably IE as well]:

<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif" /div>
 </BODY></HTML></OBJECT></BODY></HTML>

It hasn't been thoroughly explored but for filtering of html 
email it might prove interesting.

note: it cannot be sent from Outlook Express as it will correct 
the tags. Use something else.

It was originally noticed in IE like so:

<iframe src=http://www.malware.com

<img>

-- 
http://www.malware.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[35656] in bugtraq

Re: Microsoft Word Email Object Data Vulnerability

daemon@ATHENA.MIT.EDU (http-equiv@excite.com)Fri Jul 9 20:42:19 2004

daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Fri Jul 9 20:42:19 2004