Snort mailing list archives
ACID Incident Report escapes emails
From: "Michael Scheidell" <scheidell () fdma com>
Date: Mon, 22 Oct 2001 11:48:48 -0400
on the acid display screen, it has to 'escape' the ampersand so that it can be displayed correctly on the html browser However, when it emails a 'full report' it still escapes the ampersand, making the ascii data a little difficult to read. example: the data is this&that html script HAS to do: this&that so that this&that is displayed on screen, however, when thhe email is send via acid, it should not escape the ampersand: (and, yes, this was some luser at aldelpha searching for open web form mail scripts, using it to send it back to itself at aol to collect holes to spam from) Michael Scheidell
-- #(5 - 42754) [2001-10-22 04:35:57] [Bugtraq/1187] [CVE/CVE-1999-0172] [arachNIDS/226] WEB-CGI formmail access IPv4: 24.51.65.183 -> xx.xx.xx.xxxx hlen=5 TOS=0 dlen=478 ID=50070 flags=0 offset=0 TTL=113 chksum=57049 TCP: port=21039 -> dport: 80 flags=***AP*** seq=4199629098 ack=3611075816 off=5 res=0 win=17520 urp=0 chksum=53227 Payload: length = 438 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 GET /cgi-bin/for 010 : 6D 6D 61 69 6C 2E 70 6C 3F 65 6D 61 69 6C 3D 63 mmail.pl?email=c 020 : 78 74 31 34 40 6D 6B 65 34 31 2E 63 6F 6D 26 72
xt14 () mke41 com&r
030 : 65 63 69 70 69 65 6E 74 3D 70 77 73 38 38 38 40 ecipient=pws888@ 040 : 61 6F 6C 2E 63 6F 6D 26 73 75 62 6A 65 63 74 3D
aol.com&subject=
050 : 68 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63 http://xxxxxxx.c 060 : 6F 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D om/cgi-bin/formm 070 : 61 69 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25 ail.pl%20%20%20% 080 : 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 20%20%20%20%20%2 090 : 30 25 32 30 35 39 6C 6F 35 39 26 3D 25 30 44 25
0%2059lo59&=%0D%
0a0 : 30 41 25 30 44 25 30 41 74 69 6D 65 2F 64 61 74 0A%0D%0Atime/dat 0b0 : 65 3A 25 32 30 30 34 3A 33 39 3A 33 36 61 6D 25 e:%2004:39:36am% 0c0 : 32 30 2F 25 32 30 31 30 2F 32 32 2F 32 30 30 31 20/%2010/22/2001 0d0 : 25 30 44 25 30 41 3C 41 25 32 30 48 52 45 46 25
%0D%0A<A%20HREF%
0e0 : 33 44 25 32 32 68 74 74 70 3A 2F 2F 63 75 72 61 3D%22http://xxxx 0f0 : 67 65 6E 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F xxx.com/cgi-bin/ 100 : 66 6F 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 68
formmail.pl%22>h
110 : 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63 6F ttp://xxxxxxx.co 120 : 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D 61 m/cgi-bin/formma 130 : 69 6C 2E 70 6C 3C 2F 41 3E 25 30 44 25 30 41 25
il.pl</A>%0D%0A%
140 : 30 44 25 30 41 35 39 6C 6F 35 39 25 32 30 7E 76 0D%0A59lo59%20~v 150 : 6D 73 20 48 54 54 50 2F 31 2E 30 0D 0A 43 61 63 ms HTTP/1.0..Cac 160 : 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 he-Control: No-C 170 : 61 63 68 65 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E ache..Proxy-Conn 180 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 190 : 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D ve..Accept: */*. 1a0 : 0A 48 4F 53 54 3A 20 63 75 72 61 67 65 6E 2E 63 .HOST: xxxxxxx.c 1b0 : 6F 6D 0D 0A 0D 0A om.... LEGAL NOTICE - Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents or any action
taken
(or not taken) in reliance on it is unauthorized and may be unlawful. If
you
are not an addressee, please inform the sender immediately.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID Incident Report escapes emails Michael Scheidell (Oct 22)
- <Possible follow-ups>
- Re: ACID Incident Report escapes emails roman (Oct 29)