Date: Mon, 26 Apr 1999 05:07:19 -0700
From: "1nternal @geocities.com" <1nternal@MY-DEJANEWS.COM>
To: BUGTRAQ@netspace.org
Subject: Minor privacy exploit in Outlook Express

Outlook Express uses HTML to display ceratin information in the 'outlook today' type part of outlook express, ie, the number of
unread messages in your inbox etc...

Because it is considered to be in the 'internet zone', this information needs to be safely scriptable, thus it can be accessed
by any site in this zone. This allows for a possible (although admittedly minor) privacy and possibly security problem.

The 'problem' lies in the 'OutlookExpress.MessageList' ActiveX control, which is marked safe for scripting, it allows for
counting the number of messages in any folder within outlook express, as well as the number of unread items and a few other
things, such as setting options, however, the options are only set for that instance only and are not saved.

An example of viewing the number of messages in a folder, as well as previewing the message (creating the file 'C:\oe_prev$.eml'
without the users permission). It should be noted that this preview message is not accessible remotely(without an exploit).

<script language="VBSCRIPT"><!--

set MsgList = CreateObject("OutlookExpress.MessageList")
MsgList.Folder = 6
msgbox(MsgList.Count)
location.href = MsgList.PreviewMessage

--></script>

Obviously, this could also be done in JavaScript, however it would still require activeX support and OE5.

1nternal@my-dejanews.com