[Esd-l] FW: [BT] NOT GOOD: Outlook Express 6 + Internet Explorer 6

Sergio P. Cesar sergio at winc.net
Mon Apr 5 08:36:18 PDT 2004


> Does anyone else find this troubling?
>
> http://www.securityfocus.com/archive/1/359139
>
> This details a method for delivering hazardous e-mail content in a
> way that would not be trapped by the sanitizer.
>
> It looks pretty slick to me.  The recipient is presented with a
> harmless looking message and is tricked into clicking on what looks
> to be an innocent link.
>
> As for defending against this, I think defanging <FORM> tags might be
> appropriate. (IMHO, I can think of no good reason why I need to
> receive an html form by e-mail anyway.)  Consequently, I created the
> attached patch against 1.142 which adds <FORM> tags to the list of
> html tags that are defanged (presuming SECURITY_TRUST_HTML is
> undefined).  Comments/opinions?
Attached???? I see nothing attached.


>
> --Joe
>
> [demime 0.98e removed an attachment of type application/octet-stream which
> had a name of 1.142.patch]
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l


More information about the esd-l mailing list