John's recipes are great tools; we recommend them. Only one problem:
Procmail does not work on NetNews. (If this exploit works in mail it
almost certainly works in news.... Scary thought.)
--Brett Glass
At 10:23 AM 5/24/99 -0700, John D. Hardin wrote:
>On Mon, 24 May 1999, Georgi Guninski wrote:
>
> > Vulnerabilities:
> > * Reading user's cache and accessing information such as passwords,
> > credit card numbers.
> > * Reading info about the Netscape's configuration ("about:config").
> > This includes finding user's email address, mail servers, the
> > encoded mail password (it must me saved and may be decoded). This
> > allows reading user's email.
> >
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED
> > USING HTML MAIL MESSAGE.
>
>...unless you're sanitizing your email. Anybody using an HTML-enabled
>mail client should at least be aware of the availability of this tool:
>
> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
>
>--
> John Hardin KA7OHZ jhardinat_private
> pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
> PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
>-----------------------------------------------------------------------
> In the Lion
> the Mighty Lion
> the Zebra sleeps tonight...
> Dee de-ee-ee-ee-ee de de de we um umma way!
>-----------------------------------------------------------------------
> 9 days until Crusade: the Babylon Project
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:46 PDT