Bugtraq mailing list archives
Re: OBJECT Bugs or Features
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 09 Jun 2004 00:43:29 +1200
"James C Slora Jr" <Jim.Slora () phra com> wrote:
Two questions about the recent OBJECT tag assault in spam messages: 1. Should an email client process an OBJECT tag that has no corresponding /OBJECT? 2. Should an email client process an OBJECT tag that is not even embedded within HTML tags?
A more pertinent question to ask first is "What moron would ever design an Email client that _could_ render 'active content', let alone configure it to do so by default?". This would be closely followed by "What morons would elect to use such a product, even if it is the pre- installed default Email client in the most widely used OS?". As the answers to these questions have been horribly clear for years, we should move one though, but before we do, one final suggestion to make XP SP2 _truly_ worthwhile -- it should uninstall IE and OE, then randomly select and install other major third-party web browser and Email client... Anyway, to answer your specific questions... It is generally considered "good practice" (as a result of the age-old stupidity of "be lenient in what you accept", which is a purely anti- quality and anti-standards position if there ever was one) to assume that "end of file" represents termination of any paired HTML tags still open, etc, etc. So, although an example such as that you provided is not really "correct" (in that it is "incomplete") it would be expected that a browser would at least attempt to do something with such code. The answer to your second question is really an extension of the issue just discussed. The headers of your example Email message quite clearly claim the message is multipart/alternative and the first part (with the "incomplete" OBJECT tag) is text/html. Thus, although the body of that MIME component is not a properly formed, complete HTML document, the MIME Content-Type: headers provide a fairly strong basis for the MUA treating that message component as HTML and displaying it accordingly. Thus, under the "we don't give half a knob of goat sh*t for quality, predictability or stability" doctrine (aka "be lenient in what you accept..."), a MUA treating the contents of such a message component as if the missing "necessary" HTML tags and related structures were present is "good practice". <<snip>>
Many other messages have Object tags that look like this: ~object = data=3D"http://www.= 19;ildwincasino= .net/page.php= ;"~ Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The hostile site URL is often obfuscated through ASCII HTML encoding.
Note that you have failed to decode the quoted-printable encoding and once you do, that final comment makes no sense... The single "=" at the end of the line means a forced line-wrap for formatting reasons (i.e. simply remove the "=" char and the (immediately) following line-break) and the "=3D" is the necessary QP- encoding of the straight "=" chars in the original message stream (which must be so encoded to avoid possible ambiguity with QP's special use of "=" chars). RFC 1521 etc... ... Finally, to all those suddenly jumping up and down about this -- where have you been the last few months? All this stuff has been happening for months and months. Search your recent older months of spam for messages with Subject: lines of "YOU WON A FREE VACATION!!!" and similar (and with slightly different numbers of plings). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- OBJECT Bugs or Features James C Slora Jr (Jun 07)
- Re: OBJECT Bugs or Features Nick FitzGerald (Jun 08)
- Re: OBJECT Bugs or Features Valdis . Kletnieks (Jun 09)
- RE: OBJECT Bugs or Features James C Slora Jr (Jun 10)
- <Possible follow-ups>
- Re: OBJECT Bugs or Features http-equiv () excite com (Jun 08)
- Re: OBJECT Bugs or Features Nick FitzGerald (Jun 09)
- RE: OBJECT Bugs or Features Michael Wojcik (Jun 09)