Quoting Denis Jedig <seclists@syneticon.de>: > http-equiv@excite.com wrote: > > Content-Type: text/plain; > > [...] > > <img dynsrc=javascript:alert()><font color=red>foo > > > > The above is a legitimate RFC822 mail message in plain text. > > Ordinarily one would require an html mail message [Content-Type: > > text/html;] to parse html and scripting. > > Internet Explorer seems to take no offense on Content-Types either - > text/plain from a web server is happily rendered as HTML, if it contains > valid tags. > Yes, it's a well known security hole that Microsoft has refused or is unable to fix. I (and others) have reported this issue over the last few years. MS acknowledge the problem but will not fix it. Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt I recommend against using IE and Outlook in any kind of sensitive environment. .pre
