--- Richard Fuchshuber <richardfuch@xxxxxxxxxxxx> schrieb: > > Hi, > > I've noticed a strange behavior in "Yahoo! Mail" > when dealing with html > attachments. It's possible to insert data into the > "Yahoo! Mail" html > interface. > > For example, with the following code in an html > attachment it's possible > to insert "Your profile is out of date, please > update clicking here" above > the button "Check Mail". > > <? > <TABLE border="1" cellspacing="1" cellpadding="0"> > <TR>Your profile is out of date, please update <a > href="www.blabla.com">clicking here.</a></TR> > </TABLE> > > I think this could be used in phishing scam. > > For a screenshot, see [1]. The circulated text was > inserted into interface > of the "Yahoo! Mail" through an email with the > above code as an html > attachment. > > I tried to contact "Yahoo!" several times, without > success. > > [1] - http://richard.computeiro.com/yahoo_bug.jpg This is not exactly a problem with Yahoo!, but rather a problem with the way browsers tend to render HTML when forced to deal with broken tags. Your "<? <table....> is not needed to accomplish the same thing, since a browser will consider everything from < to the next > as a tag. Since <? is not recognized the whole thing is ignored. The real problem is that you are injecting a TR element into the middle of a TD, then closing the table without first closing the TD. Any web developer who would do such a thing is a moron, and your browser does the best it can to make sense of it. You might try asking Yahoo how to turn HTML off, or simply use POP with a text only reader to work around this. - Will Wesley, BSCS http://wieso.blogdrive.com ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
