I think we already knew this BTW, but just in case... anyway it's
good to know they didn't bother fixing it.
--j.
------- Forwarded Message
Date: Fri, 25 Jul 2003 17:12:33 -0000
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [VulnWatch] TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
Friday, July 25, 2003
Active Scripting and HTML in a plain text mail message:
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Source: 25.07.03 http://www.malware.com
<img dynsrc=javascript:alert()><font color=red>foo
The above is a legitimate RFC822 mail message in plain text.
Ordinarily one would require an html mail message [Content-Type:
text/html;] to parse html and scripting. The above functions under a
plain text mail message in Outlook Express 6.00 and Outlook Express
5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default
as well as an option to read messages in plain text [use it !]. Other
versions do not.
This was definitely fixed way back when:
[see: http://www.securityfocus.com/bid/3334 ].
It can be of interest to admins who filter based on content type at
the gateway, as well as newsgroup operators who do the same [less so
as comprehensive].
Notes:
1. We're working on html in the 'plain text' zone of OE6 next.
2. None.
End Call
--
http://www.malware.com
------- End of Forwarded Message
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
