[ On Tuesday, July 24, 2001 at 14:16:07 (-0500), Emre Yildirim wrote: ]
> Subject: Re: Dammed ads
>
> I have Squirrelmail 1.2.0-rc1 installed on the server my mail arrives at.  I use it
> all thetime and find it very convenient (ie your windoze machine crashes and all your saved
> email gets lost).  Then again, I have HTML turned off and postfix is filtering out
> all the.vbs crap on the mailserver.  So, webmail is not that bad :-)

Well, using a web-based mail reader (as opposed to reading mail in your
browser's built-in mail reader, which is what I initially meant) is an
entirely different thing (though potentially with a similar set of
vulnerabilities)!  ;-)

Making sure your web-based mail reader does something appropraite to
prevent your browser from seeing HTML content, while at the same time
doing something semi-safe with attachments is a help, as is filtering of
known bad stuff at the MTA level.

However if I'm not mistaken Squirrelmail has had some vulnerabilities
w.r.t. not properly protecting itself and your browser from embedded
HTML, MIME attachments, and the like too....  (certainly several such
web-based mail readers have had similar vulnerabilities and the problem
is endemic to the protocols being used)

It's not an easy problem for an application developer to solve, and when
solved completely and in a fail-safe manner it often means eliminating
features that lusers often seem to want.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>