RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail webusers...

[Norman J. Nolasco]

Couple reasons you probably won't see an update for a while: 1) To fix this properly, they would have to fix the server-side iwebmsg service, not the templates.   2) If a fix is issued, there's always someone who finds a way to one-up the fix with a new hack.  Taking ownership of this problem now would mean a substantial future resource allocation, (programmers, support, problems with upgrades, etc...).  Mucho dinero.   3) It doesn't keep people from sending or receiving email and there's no RFC spec (that I'm aware of) that suggests how to fix this problem.  So it isn't technically a critical/severe issue.   4) I think the code to scrub the messages might be fairly complex.  Also, it would definitely be useful to do selective scrubbing (trusted vs. untrusted email sources).  A proper fix isn't easy.  If IPSwitch does decide to put this on their to do list, I'd be surprised if it didn't take a while.  It would probably require a few new features and a new page or two.  More dinero.   5) There's probably going to be some overhead associated with this.  This would make iMail unattractive to those in the >10...00 account range.   6) I don't think this "wheel" is squeaky enough.   If IPSwitch does decide to fix this and does it quickly and correctly, I'd be extremely impressed. But I'm not expecting it and I'm still happy with the software.  For those that consider this issue a major problem, they'll just have to find some workaround in the interim... textareas, xml.   Historical perspective: Microsoft was able to fix this issue in 1998 in Hotmail (took them about 2 months).  In 1999, someone found a way to bypass the filter.  It was fixed about 2 weeks later.  They still have not issued new templates or a fix for Outlook Web Access that comes with Exchange 2000.  This problem still affected web-based email accounts from Excite, Yahoo, etc...  I'm not sure if/when they were fixed.   Almost 90-95% of all "secure" message boards that accept some form of HTML also can be compromised by this method.  Basically, most message boards, search engines, site directories, or whatever that accepts HTML as a feature can (in some way) be messed up by embedded javascript.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 18, 2002 10:07 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Since we know IpSwitch is monitoring, shouldn't they have issued updated templates by now ?