[30928] in bugtraq
Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
daemon@ATHENA.MIT.EDU (pre)
Mon Jul 28 18:01:32 2003
To: Denis Jedig <seclists@syneticon.de>
Message-ID: <1059382930.3f24e6926a648@www.geekgang.co.uk>
Date: Mon, 28 Jul 2003 10:02:10 +0100 (BST)
From: pre <pre@geekgang.co.uk>
In-Reply-To: <3F21788B.9070204@syneticon.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Quoting Denis Jedig <seclists@syneticon.de>:
> http-equiv@excite.com wrote:
> > Content-Type: text/plain;
> > [...]
> > <img dynsrc=javascript:alert()><font color=red>foo
> >
> > The above is a legitimate RFC822 mail message in plain text.
> > Ordinarily one would require an html mail message [Content-Type:
> > text/html;] to parse html and scripting.
>
> Internet Explorer seems to take no offense on Content-Types either -
> text/plain from a web server is happily rendered as HTML, if it contains
> valid tags.
>
Yes, it's a well known security hole that Microsoft has refused or is unable to fix.
I (and others) have reported this issue over the last few years. MS acknowledge
the problem but will not fix it.
Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt
I recommend against using IE and Outlook in any kind of sensitive environment.
.pre
