Outlook Express uses HTML to display ceratin information in the 'outlook today' type part of outlook express, ie, the number of unread messages in your inbox etc... Because it is considered to be in the 'internet zone', this information needs to be safely scriptable, thus it can be accessed by any site in this zone. This allows for a possible (although admittedly minor) privacy and possibly security problem. The 'problem' lies in the 'OutlookExpress.MessageList' ActiveX control, which is marked safe for scripting, it allows for counting the number of messages in any folder within outlook express, as well as the number of unread items and a few other things, such as setting options, however, the options are only set for that instance only and are not saved. An example of viewing the number of messages in a folder, as well as previewing the message (creating the file 'C:\oe_prev$.eml' without the users permission). It should be noted that this preview message is not accessible remotely(without an exploit). <script language="VBSCRIPT"><!-- set MsgList = CreateObject("OutlookExpress.MessageList") MsgList.Folder = 6 msgbox(MsgList.Count) location.href = MsgList.PreviewMessage --></script> Obviously, this could also be done in JavaScript, however it would still require activeX support and OE5. 1nternal@my-dejanews.com -----== Sent via Deja News, The Discussion Network ==----- http://www.dejanews.com/ Easy access to 50,000+ discussion forums
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:55 PDT