<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft Word Email Object Data Vulnerability




 <!--

Outlook 2000 and 2003 allow execution of remote web pages 
specified within the data property of OBJECT tags when there is 
no closing /OBJECT

 -->

This reminds me of something I saw the other day. The following 
and a variety of variations will work in Outlook Express
[probably IE as well]:

<BODY>
<img <div src="http://www.malware.com/images/mwheader.gif"; /div>
 </BODY></HTML></OBJECT></BODY></HTML>

It hasn't been thoroughly explored but for filtering of html 
email it might prove interesting.

note: it cannot be sent from Outlook Express as it will correct 
the tags. Use something else.

It was originally noticed in IE like so:

<iframe src=http://www.malware.com








<img>

-- 
http://www.malware.com