[CLUE-Talk] Nettquette Request
Charlie Oriez
coriez at oriez.org
Fri Jan 4 00:37:32 MST 2002
On Thursday 03 January 2002 17:14, you wrote:
> Charlie,
>
> Your comment that HTML is a security risk, how so? I'd like to
> learn why. TIA
>
Embedded html can have embedded javascript, java applets, ActiveX
controls, etc. If you configure your email client to render the html
instead of stripping it, presenting it without rendering, or deleting
the message unread, the embedded code could execute on your machine.
Fair non-tech article on the issue in Dec 2000 Infoworld is here:
http://iwsun4.infoworld.com/articles/hn/xml/00/12/05/001205hnwebbug.xml?p=br&s=2
Detailed technical analysis of some issues here:
http://www.computerbytesman.com/security/email/
Including a javascript example that really worked (now disabled):
http://www.computerbytesman.com/security/email/automail.htm
I'm pretty sure I could write some code using that automail example
as a starting point to run ls -lactR * > directory.prn then attach
directory.prn to an outgoing message. Great way to find and obtain
your Quicken files, etc for a subsequent hack.
Then there is this one line HTML/javascript Email message that will
hang the Eudora and Netscape Messenger Email readers, supposedly. I
removed the tags to prevent it from executing just in case someone
here has html enabled. Obviously, I could write javascript to do
alot more than display a message in a loop.
<xxxx> <xxxxx> while(1) alert("Help, I am caught in an
infinite loop!"); </xxxxx> </xxxx>
--
Charles Oriez coriez at oriez.org
39 34' 34.4"N / 105 00' 06.3"W
**
"Outside of a dog, a book is a man's best friend. Inside of a dog,
it's too dark to read".
-- Marx
More information about the clue-talk
mailing list