Bugtraq mailing list archives
Re: Eudora executes (Java) URL
From: alec () dakotacom net (Alec Kosky)
Date: Tue, 11 Aug 1998 15:34:12 -0700
On 11-Aug-98 Vitiello, Eric (BHS) wrote:
[From an anti-mail-exploit-procmail-filter-perl-script (see http://www.wolfenet.com/~jhardin/procmail-security.html):]s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1DEFANGED-ONLOAD/gi; This Pattern will catch lines like <body onload="badthings()"> converted to <BODY DEFANGED-ONLOAD="badthings()"> but not <body onload="badthings()" onload="badthings()"> converted to <BODY onload="badthings()" DEFANGED-ONLOAD="badthings()">] So one onload=... will stay and act. Also things like < body ... > wont be catched. I dont know if those are leading spaces are proper HTML, but even if not, one should not suppose every bad HTML to be rejected.The following can Fix all of that: s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1 DEFANGED-ONLOAD/gi;
Actually, I believe the RE that you are looking for is this: s/<\s*BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s*/<BODY $1 DEFANGED-ONLOAD/gi; The \s+ will only match one or more whitespaces, meaning that <body onload="badthings()" onload="badthings()"> would not be caught, becuase there are no spaces between < and body, but \s* will match zero or more whitespace characters. This will catch <body onload="badthings()" onload="badthings()"> and < body onload="badthings()" onload="badthings()" > --Alec--
Current thread:
- Re: Eudora executes (Java) URL John D. Hardin (Aug 10)
- <Possible follow-ups>
- Re: Eudora executes (Java) URL Dominique Unruh (Aug 11)
- Re: Eudora executes (Java) URL Vitiello, Eric (Aug 11)
- Re: Eudora executes (Java) URL James Wetterau (Aug 11)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
- Cisco IOS software security notice security-alert () cisco com (Aug 12)
- Re: Eudora executes (Java) URL High Tide (Aug 12)
- Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
- DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)
- Linux 2.1.115 oops (demo and fix) Duncan Simpson (Aug 13)
- Re: Linux 2.1.115 oops (demo and fix) Chris Wedgwood (Aug 13)
- [rootshell] Security Bulletin #22 DeadSock (Aug 14)