Re: Microsoft Word Email Object Data Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Microsoft Word Email Object Data Vulnerability
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Fri, 9 Jul 2004 18:13:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: 1@xxxxxxxxxxx


 <!--

Outlook 2000 and 2003 allow execution of remote web pages 
specified within the data property of OBJECT tags when there is 
no closing /OBJECT

 -->

This reminds me of something I saw the other day. The following 
and a variety of variations will work in Outlook Express
[probably IE as well]:

<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif"; /div>
 </BODY></HTML></OBJECT></BODY></HTML>

It hasn't been thoroughly explored but for filtering of html 
email it might prove interesting.

note: it cannot be sent from Outlook Express as it will correct 
the tags. Use something else.

It was originally noticed in IE like so:

<iframe src=http://www.malware.com








<img>

-- 
http://www.malware.com

Prev by Date: Re: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]
Next by Date: MOZILLA: execute local file and its fix
Previous by thread: Mozilla Security Advisory 2004-07-08
Next by thread: Microsoft Word Email Object Data Vulnerability
Index(es):
- Date
- Thread