BugTraq
Back to list
|
Post reply
Re: Microsoft Word Email Object Data Vulnerability
Jul 09 2004 06:13PM
http-equiv (at) excite (dot) com [email concealed] (1 malware com)
<!--
Outlook 2000 and 2003 allow execution of remote web pages
specified within the data property of OBJECT tags when there is
no closing /OBJECT
-->
This reminds me of something I saw the other day. The following
and a variety of variations will work in Outlook Express
[probably IE as well]:
<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif" /div>
</BODY></HTML></OBJECT></BODY></HTML>
It hasn't been thoroughly explored but for filtering of html
email it might prove interesting.
note: it cannot be sent from Outlook Express as it will correct
the tags. Use something else.
It was originally noticed in IE like so:
<iframe src=http://www.malware.com
<img>
--
http://www.malware.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
<!--
Outlook 2000 and 2003 allow execution of remote web pages
specified within the data property of OBJECT tags when there is
no closing /OBJECT
-->
This reminds me of something I saw the other day. The following
and a variety of variations will work in Outlook Express
[probably IE as well]:
<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif" /div>
</BODY></HTML></OBJECT></BODY></HTML>
It hasn't been thoroughly explored but for filtering of html
email it might prove interesting.
note: it cannot be sent from Outlook Express as it will correct
the tags. Use something else.
It was originally noticed in IE like so:
<iframe src=http://www.malware.com
<img>
--
http://www.malware.com
[ reply ]