Winmail.dat? What is it and why do I see it.

Over this past weekend the owner of our bank e-mailed me asking why all his attachments from Evernote in his Outlook all came across as “winmail.dat” attachments. He couldn’t get any file back and lost many documents that came across as winmail.dat attachments (word and excel documents).

Now I haven’t gotten to explain or show him how to fix this going forward yet and that in fact his attachments are not at all lost (but retrievable!) I wanted to shout out to anyone else in this strange puzzling predicament.

As most of us know Outlook and Exchange like to sit on their own island which at times is nice and awesome but at other times (a lot) it’s not. In this case the fact that Outlook uses a completely propriety Microsoft format known as “Rich Text Format” (RTF) is one of those moments. RTF while is fine and good in Outlook we see that anything other than Outlook it’s not so good and that result is the “winmail.dat” attachment.

The winmail.dat attachment includes all the formatting options present in an e-mail created with Outlook (font, color, bold, size, etc.) and in most cases will swallow up any attachment attached to that e-mail which makes no sense at all but 9 out of 10 times it decides it makes sense to Outlook. The result is a completely terrible formatted plain text e-mail with a sometimes rather large winmail.dat attachment that is usually ignored or deleting because the recipient thinks it’s some virus attachment.

The fix for this is to ensure Outlook is sending messages by default in any format other than RTF to the outside world (internet mail recipients). The default way is usually to have Outlook convert any RTF to HTML when it’s sending outside your Exchange organization as noted below under File, Options, Mail, Formatting.

Considering this is the default settings from Outlook more than likely if you have someone continuing to see this issue with certain internet mail recipients then it’s more than likely old imported contacts having the “Internet format” setting set to the RTF which may be unintentional by the user. Easiest way to check this setting to open the contact card, double click on the e-mail address in question, select the view more options tab on the right and select “Outlook Properties”.

We want to ensure that Internet format is set to let Outlook decide meaning it will pick up the setting from above to convert to HTML.

If like me you rather not have to worry about this whole Rich Text conundrum that Microsoft presents us we can simply disable it completely from the Exchange Server. Simply log into the Exchange Management Console, go under Organization Configuration, Hub Transport, then Remote Domains. Right click on the “Default” and select properties (you may have multiple remote domain policies to look at). Under the Message Format tab we have multiple format options, the one we are concerned with is the Exchange rich-text format. By default it’s set to “Determined by individual user settings” meaning it’s going to use the options set by Outlook in the above walk through. If your like me though and really rather not even give Outlook the option to use Rich Text and rather it automatically force HTML or some other conversion in Outlook simply set it the option to Never Use and you’ll alleviate all headaches going forward related to this.

This also solves headaches related to SharePoint contact libraries as well for you savy SharePointer’s out there.

Now I’m sure your next question might be “well is there any hope for these winmail.dat files that might possibly have important data in them??”. Why yes there is hope and it lies in a great free app called Winmail Opener (an original name yes?) which can be downloaded here

Well I hope this post was informative to somebody out there (other than myself). I’m finally deciding I should share my small victories with others since it might actually be *GASP* helpful to others :).


Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web Security Vulnerability
Product: Winmail Server
Vendor: Winmail Server
Vulnerable Versions: 4.2   4.1
Tested Version: 4.2   4.1
Advisory Publication: August 24, 2015
Latest Update: August 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Winmail Server

Product & Vulnerable Versions:
Winmail Server
4.2   4.1

Vendor URL & Download:
Product can be obtained from here,

Product Introduction Overview:
“Winmail Server is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders. Winmail Server can be configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem networks, beyond standard LAN and Internet mail server configurations.”

(2) Vulnerability Details:
Winmail Server web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Winmail Server has patched some of them. “scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training”. Scip has recorded similar XSS bugs, such as scipID 26980.

(2.1) The code flaw occurs at “&lid” parameter in “badlogin.php” page. In fact, CVE-2005-3692 mentions that “&retid” parameter in “badlogin.php” page is vulnerable to XSS attacks. But it does not mention “&lid” parameter". The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB ID is 20926.