HTML tags on email import

Started by Patrick, May 25, 2013, 10:28:17 PM

Print
Go Down Pages1
User actions

Patrick

May 25, 2013, 10:28:17 PM
I'm curious if anyone thinks this could pose a security risk for any malicious email coming in.  Since we can't see code, i don't know if or what security they implemented for html import.
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein

Lawrence

#1
May 25, 2013, 11:00:05 PM
An iframe can lead your browser open to some serious infections out there depending on where the website is coming from. Really, that's about the biggest threat to HTML.

I will not be enabling HTML in any form for my email imports.
Skype: sociallarry | AIM: [email]larry.aim@aim.com[/email] | Forum Rules & Information

These forums are hosted by me with no intentions to ever monetize them. These forums are here solely for the benfit of the HostBill community.

Patrick

#2
May 25, 2013, 11:02:26 PM
Quote from: Lawrence on May 25, 2013, 11:00:05 PM
An iframe can lead your browser open to some serious infections out there depending on where the website is coming from. Really, that's about the biggest threat to HTML.

I will not be enabling HTML in any form for my email imports.

We have our paypal emails come through billing and opens tickets.  Maybe odd for some but for us it works really well to keep on top and keep records for  billing staff online.  That said, paypal emails are all HTML and rather difficult to read through without html enabled.
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein

Lawrence

#3
May 25, 2013, 11:29:04 PM
Quote from: patrick on May 25, 2013, 11:02:26 PM
We have our paypal emails come through billing and opens tickets.  Maybe odd for some but for us it works really well to keep on top and keep records for  billing staff online.  That said, paypal emails are all HTML and rather difficult to read through without html enabled.

That may work, but it could also be an exploit of information should anyone have such access. Also, if Paypal were compromised (Probably never will be), you'd be in a serious situation.

Also, just a side note, you may someday receive spam / malware to your billing email. Do you use it for anything other than Paypal? Chances are someone else has your email, and you should just gear a Paypal just for them.

Your subscribers all have your Paypal email.
Skype: sociallarry | AIM: [email]larry.aim@aim.com[/email] | Forum Rules & Information

These forums are hosted by me with no intentions to ever monetize them. These forums are here solely for the benfit of the HostBill community.

Patrick

#4
May 25, 2013, 11:40:23 PM
Quote from: Lawrence on May 25, 2013, 11:29:04 PM
That may work, but it could also be an exploit of information should anyone have such access. Also, if Paypal were compromised (Probably never will be), you'd be in a serious situation.

Also, just a side note, you may someday receive spam / malware to your billing email. Do you use it for anything other than Paypal? Chances are someone else has your email, and you should just gear a Paypal just for them.

Your subscribers all have your Paypal email.

I'd pay to see anyone try to compromise PayPal to be honest.  Our admin is locked behind about 4 levels of restriction and only VPN with a specific internal IP can access it + 3 other blocks behind that, I find this method a little more secure as we utilize google apps for business and email can be compromised far easier than anything else.  That said, we do use a very unique email for paypal notifications and have them open in billing.  It's not our billing department email, just opens a billing ticket. 

It's been quite successful for the last 7 years since we started doing it.  It's simple and easy and increases productivity time when payment disputes occur. 

For example:
For payments, we have an email setup like paypal@domain.com to send payments to.  This email doesn't receive any notifications.  All of our notifications are received through something similar to paypal-N339a339ZZj976@domain.com

I believe someone has far greater possibility of gaining access to our email accounts then our admin area.  Our admin area is locked down like no tomorrow.
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein

Lawrence

#5
May 26, 2013, 12:00:29 AM
Looks like you got the ropes on this one! Nonetheless, there's always room for that possible breach. You should see if you could disable iframes at least, or at the very minimal "Filter" the iframe tag from responses.
Skype: sociallarry | AIM: [email]larry.aim@aim.com[/email] | Forum Rules & Information

These forums are hosted by me with no intentions to ever monetize them. These forums are here solely for the benfit of the HostBill community.

Patrick

#6
May 26, 2013, 12:15:56 AM
Quote from: Lawrence on May 26, 2013, 12:00:29 AM
Looks like you got the ropes on this one! Nonetheless, there's always room for that possible breach. You should see if you could disable iframes at least, or at the very minimal "Filter" the iframe tag from responses.

Yeah nevertheless i think we'll keep it disabled.   In no mood to play catch me if you can with kiddies.  It's worrying.  Heck a simply smarty exploit allowed script kiddies access to admin in WHMCS years ago, so it doesn't take much to figure out the small things and until this option becomes a little more mature, i think we'll keep it disabled.  You are right about iframes and all it would take is loading something external via iframe.  I just wonder how much success that would provide with the 4 levels of access required to even gain entry or even SEE the admin side? 
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein
Print
Go Up Pages1
User actions