Vulnerability Development mailing list archives
Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP)
From: nicolas.justin () FREE FR (Nicolas Justin)
Date: Sat, 11 Mar 2000 19:21:45 +0100
> > Why is my nutscrape parsing the vcard contents as HTML? Is this > > intended behaviour? Yes. It would be interesting to know for different mail browsers if the vcard --> HTML translation actually could be exploited, e.g., by inserting <script> tags in the vcard information, even if Java/Javascript is disabled. Nicolas Justin writes: > Add this lines to your procmailrc > :0 > * ^Content-Type.*text/html* > | (formail -r ; echo "You have sent a mail in HTML format, please > resend it in plain text format") | /usr/sbin/sendmail -oi -t Great! Now we can use Nicolas' email address (and the address of everyone who takes his advice) as a remailer (possibly then fed to a recipient amplifier as explained below) -- without waiting for him to go on vacation. I won't bother posting an exploit script. :-) For all you 31337 haxors: I expect this particular address will be protected by the time this message passes through the moderator. :-) > :0 > * ^Content-Type.*multipart/alternative* > | (formail -r ; echo "You have sent a mail in HTML format, please > resend it in plain text format") | /usr/sbin/sendmail -oi -t There are non-HTML reasons for multipart/alternative. E.g., PNG vs. JPEG, different languages and charsets, etc. Admittedly, text vs. HTML is by far the most common. > So, if you receive a mail in HTML format, it will be trashed and a mail > will be sent to the sender. ...and that can be a problem. IMHO, Mikael Olsson had a better idea: Use a filter. It might not be trivial, but there are MIME-parsing packages for Perl, and I suspect, other languages. IMHO, auto-reply (if not human-monitored and/or seriously filtered) is an exploit waiting to happen. It may work a lot more slowly, but several of the classic */IP-based attacks translate pretty well. If the original message is included in its entirety by an auto-responder, it also becomes fertile ground for volume-amplification -- as opposed recipient-amplification via mailing lists. (It looks like Nicolas' suggestion does *not* do this, but I haven't checked.) Given the subject of this list (VULN-DEV), I nominate Nicolas for an honorary tee shirt. ;^) Chuck
It was just an *EXAMPLE*, you have to include some checks, if the mail come from mailing list... You have to improve it if you want a real world solution ;) I have use this script on my university computer for protected my mailbox. It was just a suggestion, not a real secure script ! bye. -- ____________________________________________ Nicolas Justin - nicolas.justin () free fr http://surf.to/linux-fr
Current thread:
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Chuck Phillips (Mar 11)
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Nicolas Justin (Mar 11)