|
Here
is the code I'm using to prevent this sort of thing from affecting my
users. It's ugly, but it's
quick
and it works for simple attemps at using this hack.
original code from readmail.html:
345:
<!--IMAIL.ElseBeginIfHTMLMessage-->
346: <TD WIDTH="1%" BGCOLOR="#FFFFFF"> </TD> 347: <TD BORDER="0" WIDTH="99%" BGCOLOR="#FFFFFF" ALIGN="left"> 348: <!--IMAIL.EndBeginIfHTMLMessage--> 349: <!--IMAIL.MailMessageWithoutHeader--> On
line 349 of readmail.html (for default iMail template people),
replace:
<!--IMAIL.MailMessageWithoutHeader-->
with:
<textarea
style="width:100%;height:100%;"><!--IMAIL.MailMessageWithoutHeader--></textarea>
(Only
works with IE 5+. You're on your own with NS, but it shouldn't be too hard
to figure out.)
I
tried a few other tags. "<!--IMAIL.MessageBodyPlain-->" doesn't
work.
This will disable your users' ability to read HTML email, but will
prevent this "hack" from compromising
your
usernames/passwords if you feel that this could affect you. For those that
missed the weekend
thread, you can go to a test page I set up at:
The
test page generates an email with embedded javascript that redirects your users
to a fake login page.
Since
session timeouts are a regular occurence, users can be fooled into thinking they
have timed out
and
voluntarily give up their username/password to the fake login page on a
different server.
As
Ron H stated, this is really something that should be handled on the
server-side. (Thanks Ron for the
<textarea> suggestion. At least I can tell my clients that
something is in place, even if it's not 100% secure.)
Keep
in mind that the code I've provided above
can be easily defeated by simply sending an HTML
encoded
email that starts
with "</textarea>". The overhead of scrubbing
messages on the client-side would
really
make reading email a tedious task. Instead of emails being processed on
receipt, they would have
to be
processed every time you decide to read the message.
Finally, I've noticed that the hit counter on the test page is now up to
282, but there aren't many messages
in
this thread. It's beginning to look like:
1)
People are trying it, but don't want anyone to know they have this security
hole.
2)
Someone is spamming someone else with test emails.
3)
Some 12 year olds on Spring Break are trying to get into their friends email
accounts.
So,
I'm taking down the script tonight. If you'd like the ASP/HTML source code
to test on your own
servers, let me know.
-Norm
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker Sent: Sunday, March 17, 2002 2:09 AM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Norm,
We've got a
JavaScript tag stripper function at http://hksi.net/tagstripper.htm that
might come in handy if you're trying to fix this client-side. Loading the
message body into a hidden or very small <textarea> tag, then dynamically
writing a sanitized version to another div with JS, might be possible. Good luck
getting it to work with NS, however. ;)
-Ron
|
- RE: [IMail Forum] Old Hack on Hotmail seems to work on i... Norman J. Nolasco
- RE: [IMail Forum] Old Hack on Hotmail seems to work... Norman J. Nolasco
- RE: [IMail Forum] Old Hack on Hotmail seems to ... Ron Hornbaker
- RE: [IMail Forum] Old Hack on Hotmail seems... Norman J. Nolasco
- RE: [IMail Forum] Old Hack on Hotmail s... Ron Hornbaker
- RE: [IMail Forum] Old Hack on Hotm... Norman J. Nolasco
- RE: [IMail Forum] Old Hack on Hotm... Norman J. Nolasco
- RE: [IMail Forum] Old Hack on ... Ron Hornbaker
- RE: [IMail Forum] Old Hack... Norman J. Nolasco
- RE: [IMail Forum] Old Hack... Ron Hornbaker
- RE: [IMail Forum] Old Hack... Norman J. Nolasco
- Re: [IMail Forum] Old Hack... serge
- RE: [IMail Forum] Old Hack... Ron Hornbaker
- RE: [IMail Forum] Old Hack... Norman J. Nolasco
- Re: [IMail Forum] Old Hack... Harlan Young
- RE: [IMail Forum] Old Hack... Ron Hornbaker
- [IMail Forum] Problem With... Norman J. Nolasco
