[Esd-l] This looks like something new

Smart, Dan SmartD at VMCMAIL.com
Thu Sep 19 09:27:01 PDT 2002 

Are you watching the anomy-list.  They are discussing the same issue over
there too.
Here's a germane discussion....


----- Snip ------------

|-----Original Message-----
|From: Andrew [mailto:andrew at ledge.co.za] 
|Sent: Wednesday, September 18, 2002 9:07 AM
|To: anomy-list at mailtools.anomy.net
|Subject: Re: [anomy-list]: Announcing sanitizer.pl, revision 1.54
|
|
|At 11:26am Today Bjarni R. Einarsson wrote:
|
|//snip
|> The only change this time is within the HTML cleaner (which has been 
|> updated to revision 1.17), adding protection against the hcp:// 
|> protocol exploit discussed here:
|>
|> 
|http://online.securityfocus.com/archive/1/287482/2002-08-15/2002-08-21
|> /0
|>
|> When adding this I realized that there may be quite a few other 
|> protocols I should be blocking, so any feedback on what 
|protocols you 
|> feel should be allowed in or banned from HTML src= and href= 
|> attributes would be most welcome.
|
|To set the ball rolling, here's the list at the moment:
|
|	[A-Za-z]*script
|	about
|	mailto
|	/dev
|	/proc
|	\\
|	file
|	smb
|	cid:.*\.'.$executables.'(@|\?|$)
|
|If you ban web bugs you also get
|	ftp
|	http
|	(https? ... I might have missed it)
|
|(And now hcp, somewhere).
|
|Here's one you can block without pangs of conscience:
|
|	telnet	Windows 2000 telnet attempts NTLM authentication (or at
|		least, it did). Network sniffs can can be fed to a
|		password cracking program.
|	about	Don't know what this will be doing in mail, and
|		there's some scripting possibilities ..
|
|And this?
|
|	opera	Opera seems to support it's own kind of about
|		thingy you can do opera:cache - I don't know if
|		that's good for anything legitimate.
|
|BUT! why not just block everything that's not included with 
|the message (although that's quite bad too, come to think of it :)
|
|On an unrelated note, I see that there are a few things that 
|are rumoured to be scriptable, some of which get past Anomy's 
|sanitizer -- particularly img dynsrc=xxx - selected from an 
|old bugtraq post ... 
|http://cert.uni-|stuttgart.de/archive/bugtraq/2002/05/msg00116.h
|tml
|
|  <input type="image" dynsrc="javascript:[code]"> [IE]
|  &{[code]}; [N4]
|  <img src=&{[code]};> [N4]
|  <img src="mocha:[code]"> [N4]
|  <img src="blah"onmouseover="[code]">
|  <img src="blah>" onmouseover="[code]">
|
|The netscape4 stuff is not quite as worrying as the <img 
|src="blah>" ... > thing - which could be quite hard to fix.
|
|&:-)----------------------- End Snip ---------------------------

<<Dan>>

|-----Original Message-----
|From: Mark_Saunders [mailto:Mark_Saunders at piucorp.com] 
|Sent: Thursday, September 19, 2002 7:26 AM
|To: John D. Hardin
|Cc: Email Security Discussion list
|Subject: Re: [Esd-l] This looks like something new
|
|
|How about an environment variable that would define the types 
|we wish to defang. This would allow immediate control over a 
|new issue, and allow us to be as liberal or paranoid as we wish.
|
|"John D. Hardin" wrote:
|
|> On Tue, 17 Sep 2002, Mark_Saunders wrote:
|>
|> > Perhaps a new tag to defang?  
|> > 
|http://online.securityfocus.com/archive/1/28748|2/2002-08-15/200
|2-08-
|> > 21/0
|>
|> That's not really a tag, but it does bring up a good point: 
|should the 
|> sanitizer attempt to restrict the form of URLs in present in mail?
|>
|> For example, any links not to (http|https|ftp):// would be defanged.
|>
|> Comments?
|>
|> --
|>  John Hardin KA7OHZ    ICQ#15735746    
|http://www.impsec.org/~jhardin/
|>  jhardin at impsec.org          
|              pgpk -a jhardin at impsec.org
|>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
|>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 
|B873 2E79
|> 
|-----------------------------------------------------------------------
|>   ...the Fates notice those who buy chainsaws...
|>                                               -- www.darwinawards.com
|> 
|-----------------------------------------------------------------------
|>    91 days until The Two Towers
|
|--
|mv $win /dev/null _______________________________________________
|Esd-l mailing list
|Esd-l at spconnect.com http://www.spconnect.com/mailman/listinfo/esd-l
|

More information about the esd-l mailing list