John's recipes are great tools; we recommend them. Only one problem: Procmail does not work on NetNews. (If this exploit works in mail it almost certainly works in news.... Scary thought.) --Brett Glass At 10:23 AM 5/24/99 -0700, John D. Hardin wrote: >On Mon, 24 May 1999, Georgi Guninski wrote: > > > Vulnerabilities: > > * Reading user's cache and accessing information such as passwords, > > credit card numbers. > > * Reading info about the Netscape's configuration ("about:config"). > > This includes finding user's email address, mail servers, the > > encoded mail password (it must me saved and may be decoded). This > > allows reading user's email. > > > > The more dangerous part is that this vulnerability MAY BE EXPLOITED > > USING HTML MAIL MESSAGE. > >...unless you're sanitizing your email. Anybody using an HTML-enabled >mail client should at least be aware of the availability of this tool: > > ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html > >-- > John Hardin KA7OHZ jhardinat_private > pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 > PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 >----------------------------------------------------------------------- > In the Lion > the Mighty Lion > the Zebra sleeps tonight... > Dee de-ee-ee-ee-ee de de de we um umma way! >----------------------------------------------------------------------- > 9 days until Crusade: the Babylon Project
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:46 PDT