Hi folks,

Sometimes I look at the message source of my held mail for various reasons, mainly curiosity. Until now, I have always seen plain text in the message source window.

Today I clicked on Message Source and was shocked to see a bright blue (approximately cyan) background and the text in Times New Roman. There were no carriage-returns at the end of lines. Another odd thing was the "Return-Path:" line had nothing on it (it just said "Return-Path: Delivered-To: spamcop-net...").

When I right-click on the message source window and select "View Source," I see what I expected to see in the first place. The "return-path" is there and there are three sections, including an HTML section.

I'm thinking this has something to do with the fact that it's a "multi-part message in MIME format" and the third part is a text/html section with bgColor=#ffffff and font face="Times New Roman".

My worry is that if the SpamCop webmail system is opening a browser window that interprets the HTML in messages like this, it would be possible for a spammer/hacker to write an HTML section with scripts that get executed when I am trying just to display the source.

So I am thinking "Message Source" might represent a security flaw in the webmail system--it might represent a way to infect or attack client computers.

I will be happy to forward the message or message source to someone to look at if someone official would like to check this out.

Thanks!

Better yet, send the message in to SpamCop for parsing and then post its tracking URL. You can cancel the reports if you wish; the tracking URL will still work and will let people see exactly what you are talking about.

-- rick

Yes, that's the way most of the web-site application exploits work these days. As far as Horde goes, for example, see Horde Products Cross-Site Scripting Vulnerability just noting that to the best of my knowledge, JT doesn't ignore updates. As Rick states, a Tracking URL would show whatever might be included in your example query .. if it exists at all.

The 'sanitizing' of user input/displayed data can cause all sorts of 'altered' output. So, the 'bad' display wouldn't necessarily get me excited. This is especially noted in that if the code was written worth a dang, 'you' wouldn't (in general) notice that something bad was going on at all. In this specific case, you'd be suggesting that some bad person would have taken the time to tailor some bad code to bypass the existing Horde sanitizing code, whatever modifications JT/Trevor had made to that code, shooting for the low, low target of specific users that would be using IE, actually take the time to try to 'view' the e-mail in a non-text form, etc .... sounds like quite the reverse of the spammer norm which is to try to screw over the maximum amount of folks in one fell swoop.

Again, providing a Tracking URL of the e-mail in question would allow for some specific analysis.

Please do what Rick suggested and produce a Tracking URL so that we can take a look at the raw source ourselves.

DT

I assumed it was just bad coding in this case, but I worried that it represented an opportunity for someone else intentionally to trip up a webmail user. I think you are right that an exploit based on this method would not capture a wide audience. That's a good thing, I suppose.

Downside: I always assumed the "Message Source" option was a safe way to look at spam, for whatever reason--sometimes just to be sure it is spam. Obviously, it's not totally safe.

Anyway, here's the tracking URL: http://www.spamcop.net/sc?id=z2788235097z6...265e4266d238efz

Clicking on "View entire message" gives the same result as clicking on "Message Source" in webmail, so you can see what's going on.

With my limited HTML/scripting skills, I don't see anything sinister in there--no scripts, anyway.

Thanks!

Ah...I see the problem...and it actually appears to be a problem with Internet Exploder, not necessarily with what SpamCop is doing. If you view the message source using a better browser (Firefox, in my case):

http://www.spamcop.net/sc?id=z2788235097z6...;action=display

you'll see the proper raw message source and not the rendered HTML. While viewing it in IE (which I'm pretty sure you're using), try a "View Source" on the rendered page and you'll see what it's really supposed to be showing you. Firefox gets it right...IE proves itself once again deficient....no surprise there.

DT

Right. I am using IE7. Micro$oft breaks again!

I used "View Source" in the browser before my initial post and noticed that it showed the entire text of the spam.

Although it is not a problem for Firefox users, etc., IE problems are problems that software and service providers have to address. Pragmatically, it would be unwise for Horde to ignore the possibility of exposing the bulk of their customers (i.e., IE users) to the flaw, even though it is a Micro$oft flaw. If it represents a serious enough risk, anyway.