LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L
Options: Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Parts/Attachments: text/plain (23 lines)
Print Reply
Content-Transfer-Encoding:
7bit
Sender:
LISTSERV list owners' forum <[log in to unmask]>
Subject:
HTML posts make LISTSERV lists a soft target for hackers
From:
Jim Walker <[log in to unmask]>
Date:
Sun, 27 May 2001 13:28:59 -0400
Content-Type:
text/plain; charset="Windows-1252"
MIME-Version:
1.0
Reply-To:
LISTSERV list owners' forum <[log in to unmask]>
 
It has been known for some time that email in HTML format can be used to
execute arbitrary programs on the recipient's computer.

     http://www.cert.org/advisories/CA-2000-12.html


http://www.symantec.com/avcenter/sirc/incorrect.mime.header.vulnerability.ht
ml

The recipient does not have to open the email, the program will run if the
message is displayed in a preview window.   List owners who try to protect
their lists with "Language= NOHTML" soon discover that LISTSERV only stops
HTML if the post also has a plain text attachment. It is easy for a hacker
to remove the plain text attachment from their malicious email messages.
Anti-virus programs will only catch malicious posts that are known to their
vendor and list moderation sacrifices the moderator's computer.

The solution is simple - if the list owner specifies that they want no HTML
posts then LISTSERV should not allow HTML posts to the list!


Jim Walker

ATOM RSS1 RSS2