Bugtraq mailing list archives
Re: Eudora executes (Java) URL
From: Evitiello () BHSI COM (Vitiello, Eric)
Date: Tue, 11 Aug 1998 15:58:03 -0400
[From an anti-mail-exploit-procmail-filter-perl-script (see http://www.wolfenet.com/~jhardin/procmail-security.html):]s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1DEFANGED-ONLOAD/gi; This Pattern will catch lines like <body onload="badthings()"> converted to <BODY DEFANGED-ONLOAD="badthings()"> but not <body onload="badthings()" onload="badthings()"> converted to <BODY onload="badthings()" DEFANGED-ONLOAD="badthings()">] So one onload=... will stay and act. Also things like < body ... > wont be catched. I dont know if those are leading spaces are proper HTML, but even if not, one should not suppose every bad HTML to be rejected.
The following can Fix all of that:
s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1
DEFANGED-ONLOAD/gi;
Eric Vitiello
Webmaster^2, Baptist Healthcare System
www.bhsi.com www.westernbaptist.com
www.baptisteast.com www.centralbap.com
Current thread:
- Re: Eudora executes (Java) URL John D. Hardin (Aug 10)
- <Possible follow-ups>
- Re: Eudora executes (Java) URL Dominique Unruh (Aug 11)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)
- Re: Eudora executes (Java) URL James Wetterau (Aug 11)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
- Cisco IOS software security notice security-alert () cisco com (Aug 12)
- Re: Eudora executes (Java) URL High Tide (Aug 12)
- Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
- DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)
- Linux 2.1.115 oops (demo and fix) Duncan Simpson (Aug 13)