On Friday 3 March 2000 Steve Lamb wrote:
Or forwarded, whatever...
> 2. "The Bat!" doesn't check headers of the incoming message to contain
> this header (and this is even more dangerous). Intruder can spoof this
> header, for example to specify
> X-BAT-FILES: C:\WINDOWS\user.dat
> in message headers. In this case user.dat will appear as message
> attachment! If recipient will forward this message user.dat will be
> attached to forward. If recipient will delete this message and option
> "Delete attached file then message deleted from trash folder" is
> checked C:\WINDOWS\user.dat will be deleted.
<mouth wide open>
ICK!
I'm glad I have inline attachments turned on, and automatic attachment
deletion turned off. Of course, now I'm going to have to test that
switching these options doesn't still leave me vulnerable.
If I have inline attachments on, does The Bat! still honour those
header lines when forwarding? (It *never* should for incoming mail at
all of course, but I'm still going to have to check this to be sure
for these settings.)
(BTW, It would be nice to be able to delete attachments from messages
even if they were inline. Currently I have to delete the whole message
if I want to get rid of a (for example, a large one, say 2Mb)
attachment, and jump through hoops to keep the message body if I still
want it.)
John
--
you gave me something that i could touch in a world where i'd had too much
something i could feel with my broken hands full of lost ideals but soon i'm
returning to you my friend and we'll go where the rivers end in the silver sea
and i'll carry you if you carry me
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : [email protected]
