Thomas wrote:
>
> Chuck Simmons wrote:
>
> > ... An exploit that is sometimes used that may depend on CGI (because CGI
> > can provide HTTP headers) is to send a "coded" cookie. This can happen
> > in email with some clients because <meta> tags can allow forcing the
> > load of a foreign page...
> -----------------------------
> Chuck,
>
> 1. You say "this can happen with some clients". Does this include the
> Mozilla Mail Client?
>
> 2. On the Mozilla wishlist is there anything like an option to view
> E-mails in plain text only?
>
> 3. Finally, do you think receiving HTML-enriched E-Mail is of any risk
> for a Mozilla user (assuming that Java-script is already disabled)?
>
> Thanks a lot,
> Thomas
I have not tested Mozilla mail and news for honoring <meta
refresh=blah>. If it does, it has a major flaw. That is the big hole
left when you disable JavaScript in mail. I agree that there should be
an option to view emails as plain text only (I suspect this is probably
in the bug list). For your 3, I really covered that already. This is not
a security risk. It is a potential privacy risk.
Note that the meta problem was discovered in Communicator 4.xx for
Windows. It fails in Unix with 4.xx but I don't know about Mac. The
defence is to ignore <meta refresh=blah> (or is it <meta http-euiv,
refresh=blah> - I forget the syntax). The URL in the meta tag can
identify the email address if each spam sent has a different query
string. Anyway if that hole is plugged in Mozilla, it is pretty safe
with JavaScript off in mail and news.
Chuck
--
... The times have been,
That, when the brains were out,
the man would die. ... Macbeth
Chuck Simmons [EMAIL PROTECTED]
