From: Pontus U. <po...@ul...> - 2001-07-31 14:08:57
|
Well ... as I see it, it is our duty as writers/users of email-software to ensure that worms can spread through our clients. or maybe NOT!! :-P But when we are on the topic of worms I have received one or two mail messages where I was presented with a HTML-page (which is rendered with pictures and every thing) and "NO" I have not turned on "view html" in display settings. This indicates that it could be possible to write a e-mail message that contains a Java script worm. Reading cookies and sending them to third party server. I'm sorry to say that I deleted these email messages and I haven't been able to recreate one, but I guess these messages only include html code that are not inside a mime header. I will investigate this a bit further and see if I can come up with a solution. Also I think that even if "view html" is enabled squirrelmail should parse out and disable all img-, javascript- and embededtags. (Maybe it all ready does, I haven't tried it yet). All these can be used to implant some kind of worm into the mail. (We don't want squirrelmail to be another HotMail/Yahoo disaster :-P ) > I've been getting this lately: > > Body retrival error. Please report this bug! > Response: OK > Message: FETCH completed > FETCH line: * OK [PARSE] Unexpected characters at end of parameters: > text > --------------- > > Then there'll be a text/plain attachment with the body of the message. > > Luckily, I've only noticed this with the SirCam-generated emails, so > I'm in no way concerned. We'll be pushed kicking and screaming into > conforming to Outlook's mail capabilities, but I'll be damned if we're > going to make sure a worm's email shows up alright :) > > -r3- Virtually Yours Pontus Ullgren Software Designer & Linux Zealot e-mail: pon...@ad... -- Q: What is a Zealot ? A: http://www.everything2.org/index.pl?node_id=35990 -- Say NO to HTML in e-mail messages |