Howdy, I _was_ able to reproduce the exploit to great effect... I created a perl script to automate the process, passed it on to the office clown and had a great time listening to the varied match-making arrangements he set up. The problem seems to be that Outlook (in the default setup) hides the address part of the reply-to header when using it to create the value to put in the "To" box of the reply. A reply-to header of "John Smith <jsmithat_private>" shows up as simply "John Smith" in the "To:" box when you hit reply... but of course so does "John Smith <merry_pranksterat_private>". The other mail readers I tested it on (Hotmail and Netscape Messenger) showed the reply-to header in full. Cheers Toby >Hi Nate, > >I was not able to reproduce the exploit that you reported to the >bugtraq mailing list. Outlook98 did exactly what I expected: when I >open the mail, I see the "From:"-header in the message. When I reply >to the email, Outlook takes the "Reply-To:"-address of the >header. Which version of Outlook did you test? > >Best Regards, Sebastian > >PS: your "quick script" has a little bug: the header entry should be > "Reply-To:" instead of "Reply To:".
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:50 PDT