Bugtraq mailing list archives

Re: Eudora executes (Java) URL

From: dominique () UNRUH DE (Dominique Unruh)
Date: Tue, 11 Aug 1998 21:09:00 +0200


[From an anti-mail-exploit-procmail-filter-perl-script (see
http://www.wolfenet.com/~jhardin/procmail-security.html):]

 s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1 DEFANGED-ONLOAD/gi;


This Pattern will catch lines like
        <body onload="badthings()">
converted to
        <BODY DEFANGED-ONLOAD="badthings()">
but not
        <body onload="badthings()" onload="badthings()">
converted to
        <BODY onload="badthings()"  DEFANGED-ONLOAD="badthings()">]
So one onload=... will stay and act.

Also things like < body ... > wont be catched. I dont know if those are
leading spaces are proper HTML, but even if not, one should not suppose
every bad HTML to be rejected.

DniQ.

Current thread:

Re: Eudora executes (Java) URL John D. Hardin (Aug 10)
- <Possible follow-ups>
- Re: Eudora executes (Java) URL Dominique Unruh (Aug 11)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)
  - Re: Eudora executes (Java) URL James Wetterau (Aug 11)
  - Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
    - Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
    - Cisco IOS software security notice security-alert () cisco com (Aug 12)
    - Re: Eudora executes (Java) URL High Tide (Aug 12)
  - Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
  - DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
    - Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
    - Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)

(Thread continues...)