RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

[Ron Hornbaker]

It would take more than a checkbox, of course. The programming logic behind it is significantly complex. It's easy to strip <script> tags. But JavaScript can be embedded in almost any object in the W3C DOM, and triggered in a multitude of ways. Consider, for example, that Ipswitch's programmers would have to build a huge regular expression to catch literally every event trigger (like onSelectStart, onBeforeLoad, onUnload, onError, etc. etc.) that can be embedded in normal objects, and strip them out along with their script parameters. Such a parse could prove to be prohibitively cpu expensive. The easy way out is to just strip all tags server-side, and display the message as plain-text. That's what the option should be.   Something worth playing with (you listening Norm?) would be JavaScript in the header of readmail.html that would *catch* all events that happen during the load of the page or load of images, and return false. Might be possible. But you'll always be playing catch up with the multitudes of crackers and script kiddi3s that can easily stay a step ahead.   -Ron      -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joshua Levitsky Sent: Saturday, March 16, 2002 9:07 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... So basically if ipswitch had a checkbox on the webmessaging service that said like "Allow embeded Scripts" and you could check or uncheck it then that would make this issue go away... no?   -Josh ----- Original Message ----- From: Ron Hornbaker To: [EMAIL PROTECTED] Sent: Saturday, March 16, 2002 9:36 PM Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... No, the smart thing would be for iwebmsg to rip them out server-side. Ripping them out client-side with the templates is going to be hella-hard (if not impossible, esp. cross-browser), since all we've got to work with is JavaScript, HTML, and a single IMail tag.   -Ron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joshua Levitsky Sent: Saturday, March 16, 2002 8:29 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... wow... hummm.... so basically the smart thing would be for KillerWebmail and the default stuff to not permit <script> tags in mail. Just to rip them out in the display process. No?   -Josh ----- Original Message ----- From: Norman J. Nolasco To: [EMAIL PROTECTED] Sent: Saturday, March 16, 2002 3:40 PM Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Hi again,   I put up a new version of the email generator at http://209.16.59.28/test.asp   It can now send the same type of email to KillerWebMail users, as well as default template users.  Again, even if the login screen doesn't use the same template, all a malicious user has to do is cut&paste the HTML off the login page onto their own version.   Norman Nolasco Advarion Incorporated