Re: HTML email "bug", of sorts.

• Previous message: D. J. Bernstein: "Re: qmail starttls patch does not seed the random number generator"
• Maybe in reply to: Alex Prestin: "HTML email "bug", of sorts."
• Next in thread: Thorat_private: "Re: HTML email "bug", of sorts."
• Next in thread: role+bugtraqat_private: "Re: HTML email "bug", of sorts."
• Reply: Thorat_private: "Re: HTML email "bug", of sorts."
• Reply: David LeBlanc: "RE: HTML email "bug", of sorts."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alex Prestin wrote:
snip
> See it?  A web bug.  If I opened this mail in an HTML-capable browser,
> that little image would've popped up and I would've been none the
> wiser.  My address would also have been verified by the sender, and stored
> in a large database of valid recipients.

snip

And if you were running WinNT 4 and that referrer pointed to a server
advertising a share, NT would send your username and password to try to log
you on without your knowledge. It could be grabbed and sent back to your
machine, logon, and the atttacker would have all rights to your machince and
network that the ID you're using has.
(as I've mentioned before, MS has known about this hole since before SP2)
Cheers

Thomas Rowe
Systems Engineer, LDI
Bank of America
Atlanta, GA

• Next message: role+bugtraqat_private: "Re: HTML email "bug", of sorts."
• Previous message: D. J. Bernstein: "Re: qmail starttls patch does not seed the random number generator"
• Maybe in reply to: Alex Prestin: "HTML email "bug", of sorts."
• Next in thread: Thorat_private: "Re: HTML email "bug", of sorts."
• Next in thread: role+bugtraqat_private: "Re: HTML email "bug", of sorts."
• Reply: Thorat_private: "Re: HTML email "bug", of sorts."
• Reply: David LeBlanc: "RE: HTML email "bug", of sorts."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 19 2001 - 11:52:16 PDT