Bugtraq mailing list archives
Re: Eudora executes (Java) URL
From: jhardin () WOLFENET COM (John D. Hardin)
Date: Tue, 11 Aug 1998 21:16:25 -0700
On Tue, 11 Aug 1998, Alec Kosky wrote:
s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1DEFANGED-ONLOAD/gi; Also things like < body ... > wont be catched. I dont know if those are leading spaces are proper HTML, but even if not, one should not suppose every bad HTML to be rejected.The following can Fix all of that: s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1 DEFANGED-ONLOAD/gi;Actually, I believe the RE that you are looking for is this: s/<\s*BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s*/<BODY $1 DEFANGED-ONLOAD/gi; The \s+ will only match one or more whitespaces, meaning that <BODY onload="badthings()" ONLOAD="badthings()"> would not be caught, becuase there are no spaces between < and body, but \s* will match zero or more whitespace characters. This will catch
"<\s+BODY" is not a valid HTML tag, so it will (should!) be totally ignored by the HTML parser in the mail client. If the HTML parser in the mail client ignores it, it's not an avenue for an exploit. Can anyone actually get a HTML-aware email client to recognize and process a "<\s+BODY" tag? Let me know. I will, however, clean the filter up for multiple ONLOAD="" clauses. Tomorrow. -- John Hardin KA7OHZ jhardin () wolfenet com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 75 days until Daylight Savings Time ends
Current thread:
- Re: Eudora executes (Java) URL John D. Hardin (Aug 10)
- <Possible follow-ups>
- Re: Eudora executes (Java) URL Dominique Unruh (Aug 11)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)
- Re: Eudora executes (Java) URL James Wetterau (Aug 11)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
- Cisco IOS software security notice security-alert () cisco com (Aug 12)
- Re: Eudora executes (Java) URL High Tide (Aug 12)
- Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
- DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)
- Linux 2.1.115 oops (demo and fix) Duncan Simpson (Aug 13)
- Re: Linux 2.1.115 oops (demo and fix) Chris Wedgwood (Aug 13)
- [rootshell] Security Bulletin #22 DeadSock (Aug 14)
- Linux 2.1.115 devpts bug improved fix Duncan Simpson (Aug 13)