RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

[Ron Hornbaker]

Norm,   Have you considered putting the textarea-display method *inside* the BeginIfHTMLMessage block, so that it's used only when displaying html messages? The would keep your plain-text messages displayed in the normal manner.   Then you could add a simple script to the onLoad event of the readmail.html body tag that would strip all tags from that textarea field, if it was present, and replace its contents with the santized version, for better readability. As an added bonus, you could save the original html in a hidden input field (via the same JS), and create a link to let you open the original html message in a new window, if desired (if it was from a trusted source, for example).   Ron Hornbaker  - http://humankindsystems.com - 2,595 admins can't be wrong  - http://AnswerTrack.com - eCRM email tracking & routing  - http://KillerWebMail.com - the name says it all  - 1-888-952-4888 or [EMAIL PROTECTED]    -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco Sent: Monday, March 18, 2002 10:43 AM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Here is the code I'm using to prevent this sort of thing from affecting my users.  It's ugly, but it's quick and it works for simple attemps at using this hack.   original code from readmail.html: 345:          <!--IMAIL.ElseBeginIfHTMLMessage--> 346:               <TD WIDTH="1%" BGCOLOR="#FFFFFF">&nbsp;</TD>  347:               <TD BORDER="0" WIDTH="99%" BGCOLOR="#FFFFFF" ALIGN="left"> 348:           <!--IMAIL.EndBeginIfHTMLMessage--> 349:        <!--IMAIL.MailMessageWithoutHeader-->       On line 349 of readmail.html (for default iMail template people), replace:   <!--IMAIL.MailMessageWithoutHeader-->   with:   <textarea style="width:100%;height:100%;"><!--IMAIL.MailMessageWithoutHeader--></textarea>   (Only works with IE 5+.  You're on your own with NS, but it shouldn't be too hard to figure out.) I tried a few other tags. "<!--IMAIL.MessageBodyPlain-->" doesn't work.   This will disable your users' ability to read HTML email, but will prevent this "hack" from compromising your usernames/passwords if you feel that this could affect you.  For those that missed the weekend thread, you can go to a test page I set up at:   http://209.16.59.28/test.asp   The test page generates an email with embedded javascript that redirects your users to a fake login page. Since session timeouts are a regular occurence, users can be fooled into thinking they have timed out and voluntarily give up their username/password to the fake login page on a different server.    As Ron H stated, this is really something that should be handled on the server-side.  (Thanks Ron for the <textarea> suggestion.  At least I can tell my clients that something is in place, even if it's not 100% secure.)  Keep in mind that the code I've provided above can be easily defeated by simply sending an HTML encoded email that starts with "</textarea>".  The overhead of scrubbing messages on the client-side would really make reading email a tedious task.  Instead of emails being processed on receipt, they would have to be processed every time you decide to read the message.   Finally, I've noticed that the hit counter on the test page is now up to 282, but there aren't many messages in this thread.  It's beginning to look like: 1) People are trying it, but don't want anyone to know they have this security hole. 2) Someone is spamming someone else with test emails. 3) Some 12 year olds on Spring Break are trying to get into their friends email accounts.   So, I'm taking down the script tonight.  If you'd like the ASP/HTML source code to test on your own servers, let me know.   -Norm   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker Sent: Sunday, March 17, 2002 2:09 AM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Norm,   We've got a JavaScript tag stripper function at http://hksi.net/tagstripper.htm that might come in handy if you're trying to fix this client-side. Loading the message body into a hidden or very small <textarea> tag, then dynamically writing a sanitized version to another div with JS, might be possible. Good luck getting it to work with NS, however. ;)   -Ron