[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Netscape Communicator JavaScript in <TITLE>
From:       Usman <akeju00 () IONAPREP ! ORG>
Date:       1999-05-26 2:32:25
[Download RAW message or body]

"John D. Hardin" wrote:
>
> On Mon, 24 May 1999, Georgi Guninski wrote:
>>snip!<<
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED
> > USING HTML MAIL MESSAGE.
>
> ...unless you're sanitizing your email. Anybody using an HTML-enabled
> mail client should at least be aware of the availability of this tool:
>
>   ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
>
> --
>  John Hardin KA7OHZ                               jhardin@wolfenet.com


Or, just to add the said workaround, if you're only worried about email,
Netscape 4.5+ users can just disable JavaScript for Mail and News without
disabling JavaScript altoghether. I know there's still the meta refresh factor
for HTML-enabled mail clients, though. It would be, IMHO, a good idea for
Netscape to add a little "Disable/Enable HTML for Mail Messages" checkbox, don't
you think?

-Usman Akeju

[prev in list] [next in list] [prev in thread] [next in thread]