Re: Eudora executes (Java) URL

[jhardin () WOLFENET COM (John D. Hardin)]

On Tue, 11 Aug 1998, Alec Kosky wrote:

> > > >  s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1
> > > DEFANGED-ONLOAD/gi;
> > >
> > > Also things like < body ... > wont be catched. I dont know if those
> > > are leading spaces are proper HTML, but even if not, one should not
> > > suppose every bad HTML to be rejected.
> >
> > The following can Fix all of that:
> >
> > s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1
> > DEFANGED-ONLOAD/gi;
>
> Actually, I believe the RE that you are looking for is this:
>
> s/<\s*BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s*/<BODY $1
> DEFANGED-ONLOAD/gi;
>
> The \s+ will only match one or more whitespaces, meaning that
> <BODY onload="badthings()" ONLOAD="badthings()"> would not be caught,
> becuase there are no spaces between < and body, but \s* will match zero
> or more whitespace characters. This will catch

"<\s+BODY" is not a valid HTML tag, so it will (should!) be totally
ignored by the HTML parser in the mail client. If the HTML parser in the
mail client ignores it, it's not an avenue for an exploit. Can anyone
actually get a HTML-aware email client to recognize and process a
"<\s+BODY" tag? Let me know.

I will, however, clean the filter up for multiple ONLOAD="" clauses.

Tomorrow.

--
 John Hardin KA7OHZ                               jhardin () wolfenet com
 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
  Your mouse has moved. Windows NT must be restarted for the change
  to take effect. Reboot now?  [ OK ]
-----------------------------------------------------------------------
   75 days until Daylight Savings Time ends