Re: Eudora executes (Java) URL

From: Vitiello, Eric (BHS) (Evitielloat_private)
Date: Tue Aug 11 1998 - 12:58:03 PDT

Next message: Jamie Orzechowski: "Apache DoS Attack"

Previous message: Crispin Cowan: "Netscape Exploit? Mozilla?"
Maybe in reply to: Stout, Bill: "Eudora executes (Java) URL"
Next in thread: James Wetterau: "Re: Eudora executes (Java) URL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> [From an anti-mail-exploit-procmail-filter-perl-script (see
> http://www.wolfenet.com/~jhardin/procmail-security.html):]
> >  s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1
> DEFANGED-ONLOAD/gi;
>
> This Pattern will catch lines like
>         <body onload="badthings()">
> converted to
>         <BODY DEFANGED-ONLOAD="badthings()">
> but not
>         <body onload="badthings()" onload="badthings()">
> converted to
>         <BODY onload="badthings()"  DEFANGED-ONLOAD="badthings()">]
> So one onload=... will stay and act.
>
> Also things like < body ... > wont be catched. I dont know if
> those are
> leading spaces are proper HTML, but even if not, one should
> not suppose
> every bad HTML to be rejected.

The following can Fix all of that:

s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1
DEFANGED-ONLOAD/gi;

Eric Vitiello
Webmaster^2, Baptist Healthcare System
www.bhsi.com    www.westernbaptist.com
www.baptisteast.com www.centralbap.com

Next message: Jamie Orzechowski: "Apache DoS Attack"
Previous message: Crispin Cowan: "Netscape Exploit? Mozilla?"
Maybe in reply to: Stout, Bill: "Eudora executes (Java) URL"
Next in thread: James Wetterau: "Re: Eudora executes (Java) URL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:58 PDT