[Esd-l] FW: [BT] NOT GOOD: Outlook Express 6 + Internet Explorer 6

Sergio P. Cesar sergio at winc.net
Mon Apr 5 08:36:18 PDT 2004

> Does anyone else find this troubling?
> http://www.securityfocus.com/archive/1/359139
> This details a method for delivering hazardous e-mail content in a
> way that would not be trapped by the sanitizer.
> It looks pretty slick to me.  The recipient is presented with a
> harmless looking message and is tricked into clicking on what looks
> to be an innocent link.
> As for defending against this, I think defanging <FORM> tags might be
> appropriate. (IMHO, I can think of no good reason why I need to
> receive an html form by e-mail anyway.)  Consequently, I created the
> attached patch against 1.142 which adds <FORM> tags to the list of
> html tags that are defanged (presuming SECURITY_TRUST_HTML is
> undefined).  Comments/opinions?
Attached???? I see nothing attached.

> --Joe
> [demime 0.98e removed an attachment of type application/octet-stream which
> had a name of 1.142.patch]
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list