[10640] in bugtraq
Re: Netscape Communicator JavaScript in security</h2>
<h4>daemon@ATHENA.MIT.EDU (Forrest J. Cavalier III)<br>Wed May 26 14:52:28 1999</h4>
<pre>Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199905260148.VAA17776@tool.epix.net>
Date: Tue, 25 May 1999 21:40:43 -0400
Reply-To: <A HREF="mailto:mibsoft@mibsoftware.com">mibsoft@mibsoftware.com</A>
From: "Forrest J. Cavalier III" <<A HREF="mailto:mibsoft@MIBSOFTWARE.COM">mibsoft@MIBSOFTWARE.COM</A>>
To: <A HREF="mailto:BUGTRAQ@NETSPACE.ORG">BUGTRAQ@NETSPACE.ORG</A>
> John's recipes are great tools; we recommend them. Only one problem:
> Procmail does not work on NetNews. (If this exploit works in mail it
> almost certainly works in news.... Scary thought.)
>
> --Brett Glass
>
I don't know if the exploit works with Usenet messages, but
decent Usenet servers have filtering capabilities.
INN had perl filtering hooks since at least 1995,
and had easily modified code to analyze and reject
messages based on headers since the beginning (1993.)
In Usenet, generally most sites do not modify
and sanitize messages, they just drop and reject them
with just a message to the log, nothing else. Since
propagating modified messages, for whatever reason, is
never acceptable, it becomes a problem to sanitize:
it would mean keeping additional special copies around.
A full Usenet feed is on the order of 1E6 messages
per day, and nearly all are binaries (UUEncoded) The John D.
Hardin code looks solid, but might bog down a server
if every Usenet message had to go through it.
Personally, I don't think HTML (or binaries) belong
on Usenet in the first place, so it's a simple policy
to just drop posts containing HTML or UUencoding. :-)
Seriously, the Hardin perl code will drop pretty easily
into INN, although I haven't tried it myself.
See README.perl_hook in the INN distribution and
modify the procmail selector lines to the appropriate
perl instead, and return a reject code instead of
mangling and rewriting.
Forrest J. Cavalier III, Mib Software, INN customization and
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages:
http://www.mibsoftware.com/innsup.htm
</pre>
<hr>
<table border=0 cellspacing=0 cellpadding=1>
<tr align=center valign=center>
<td width=44><a href="/"><img src="/images/i-d.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="/help.html"><img src="/images/i-help.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="./?10640"><img src="/images/i-back.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="1"><img src="/images/i-first.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="10622"><img src="/images/i-fref.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="10627"><img src="/images/i-pref.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="10639"><img src="/images/i-prev.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="10641"><img src="/images/i-next.gif" alt="" width=40 height=40></a></td>
<td width=44><img src="/images/n-nref.gif" alt="" width=40 height=40></td>
<td width=44><img src="/images/n-lref.gif" alt="" width=40 height=40></td>
<td width=44><a href="42493"><img src="/images/i-last.gif" alt="" width=40 height=40></a></td>
<td width=44><img src="/images/n-post.gif" alt="" width=40 height=40></td>
</tr><tr align=center valign=center><td><a href="/">home</a></td>
<td><a href="/help.html">help</a></td>
<td><a href="./?10640">back</a></td>
<td><a href="1">first</a></td>
<td><a href="10622">fref</a></td>
<td><a href="10627">pref</a></td>
<td><a href="10639">prev</a></td>
<td><a href="10641">next</a></td>
<td>nref</td>
<td>lref</td>
<td><a href="42493">last</a></td>
<td>post</td>
</tr></table>
</body></html>
