Waldo ? wrote:
> http://www.nytimes.com/2001/02/05/technology/05JAVA.html
NYTimes requires you to log in. You can use an account I created;
login-name "ihatetracking45"; password starts with "i" and ends with
"5", guess it :).
Excerpt: Using JS and the DOM, a script in an HTML msg can grab the
content of the viewed msg and then submit it to a web form
automatically. This is not very interesting during the first read, but
gets interesting, if it's quoted or forwarded in an HTML mail and then
read by a vulnerable user - the newly added comment can also be sniffed.
Proecting yourself is easy: Turn off JavaScript.
To protect your msg from potentially vulnerable recipients of your
replies / forwards, we have to strip JS from quoted or inline-forwarded
msgs. (Sending as plaintext will do that already, of course - I'm
talking about HTML msgs.)
I see no real protection for msgs forwarded as attachment, unless we
drop the strategy of always attaching verbatim and assuming the
recipient is vulnerable.
To do:
- Disable JavaScript in Mailnews (done by default in Mozilla and Beonex
Communicator, not Netscape 6)
- During quoting or forwarding inline, remove all JS and similar cruft
- During reading, treat attachments as separate msgs (not the same msg),
so the forwarded msg has no access to the main body.
mstoltz, if you have a bug filed about that, can you please open it and
quote the number her?
--
This message is protected by ROT0 encryption and the DMCA.
Reading is disallowed and will be prosecuted.
