Alessandro Vesely writes:
Sam Varshavchik wrote:This release of SqWebMail filters out certain MSIE-only scripting constructs that could be used for malicious purposes. As an alternative: a cumulative patch [...]Apparently, that patch is not related with the downloading of viral attachments that has been recently echoed on this list. Correct?
Correct.
It skips some html tags. Are there any advisories or references about the MSIE scripting vulnerabilities that the patch addresses?
You got it all wrong. It's not really a vulnerability in MSIE, it's really a "feature". Aren't you happy? Although in the rest of the world, any <!-- comment --> in HTML gets ignored, with MSIE a specially formatted HTML comment can get processed as regular HTML code, with scripting, et al:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/ccomment_ovw.aspThe other stuff in the patch is because it's cumulative, and includes last week's fix for a different issue.
pgpx0fOgQn8pt.pgp
Description: PGP signature
