Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Mon, 26 Apr 1999 05:07:19 -0700  
From: "1nternal @geocities.com" <1nternal@MY-DEJANEWS.COM>  
To: BUGTRAQ@netspace.org  
Subject: Minor privacy exploit in Outlook Express  
Outlook Express uses HTML to display ceratin information in the 'outlook today' type part of outlook express, ie, the number of  
unread messages in your inbox etc...  
Because it is considered to be in the 'internet zone', this information needs to be safely scriptable, thus it can be accessed  
by any site in this zone. This allows for a possible (although admittedly minor) privacy and possibly security problem.  
The 'problem' lies in the 'OutlookExpress.MessageList' ActiveX control, which is marked safe for scripting, it allows for  
counting the number of messages in any folder within outlook express, as well as the number of unread items and a few other  
things, such as setting options, however, the options are only set for that instance only and are not saved.  
An example of viewing the number of messages in a folder, as well as previewing the message (creating the file 'C:\oe_prev$.eml'  
without the users permission). It should be noted that this preview message is not accessible remotely(without an exploit).  
<script language="VBSCRIPT"><!--  
set MsgList = CreateObject("OutlookExpress.MessageList")  
MsgList.Folder = 6  
location.href = MsgList.PreviewMessage  
Obviously, this could also be done in JavaScript, however it would still require activeX support and OE5.