From: Thomas Roeder <troeder@gmx-ag.de> To: bugtraq@securityfocus.com Subject: Re: gmx.net Date: Tue, 12 Jun 2001 15:18:29 +0200 Cc: rudicarell@hotmail.com rudi carell < rudicarell@hotmail.com > wrote: > like many other web-mail systems gmx.net has a problem filtering > java-script in html-based mail-messages. [...] > the html - <img> tag can be used to embedd malicious java-scripts > within html-mails thanks for letting us know. A workaround will go online in the next minutes. I would like to add that we display HTML-based message content in a special security window (called "Volldarstellung" = full display mode) which doesn't contain the session ID of the logged in user. Therefor it shouldn't be possible to compromise the users account on our system by such tricks. I agree though that it would be possible to open a relogin-trojan which could be confusing to users with less security awareness. That's the reason why we normally try to supress scripting code. That one passed by us though ... Greetings from Munich, Thomas Roeder GMX AG, Product Management