[Esd-l] FW: [BT] NOT GOOD: Outlook Express 6 + Internet Explorer 6

Joe Steele joe at madewell.com
Wed Mar 31 20:34:55 PST 2004

Does anyone else find this troubling?


This details a method for delivering hazardous e-mail content in a 
way that would not be trapped by the sanitizer.

It looks pretty slick to me.  The recipient is presented with a 
harmless looking message and is tricked into clicking on what looks 
to be an innocent link.

As for defending against this, I think defanging <FORM> tags might be 
appropriate. (IMHO, I can think of no good reason why I need to 
receive an html form by e-mail anyway.)  Consequently, I created the 
attached patch against 1.142 which adds <FORM> tags to the list of 
html tags that are defanged (presuming SECURITY_TRUST_HTML is 
undefined).  Comments/opinions?


[demime 0.98e removed an attachment of type application/octet-stream which had a name of 1.142.patch]

More information about the esd-l mailing list