[7499] in bugtraq
Re: Object tag crashes Internet Explorer 4.0
daemon@ATHENA.MIT.EDU (Brett Glass)
Thu Jul 30 15:49:47 1998
Date: Thu, 30 Jul 1998 10:39:52 -0600
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
X-To: Brian Behlendorf <brian@HYPERREAL.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980730000724.1670.qmail@hyperreal.org>
John Hardin's HTML trap for procmail (I've been helping him expand it
to close the Outlook/Netscape long file name hole) defangs OBJECT tags
too. See the "Notes" section on the bottom of the page at
http://www.wolfenet.com/~jhardin/procmail-kit.html
John deserves a lot of credit. His package lays the groundwork for a whole
BUNCH of protective "safety nets" that can prevent e-mail exploits. (I was
planning to implement something like it to protect my users, but it would
have taken me WEEKS if I'd started from scratch. A fix based on his work
took less than a day to create.)
Everyone on this list who has some understanding of procmail and regular
expressions should review the filters at the above URL and suggest
improvements.
--Brett
At 05:06 PM 7/29/98 -0700, Brian Behlendorf wrote:
>in message 19980728171036.5485.qmail@hotmail.com, Georgi Guninski
><guninski@HOTMAIL.COM> told us about an Object Tag problem in MSIE 4.0. He
>described it:
>
>> The <OBJECT> tag seems to crash Internet Explorer 4.0 under Win95 (don't
>> know about other versions/OS).
>> The following:
>> <OBJECT CLASSID=____More than 250 characters here____></OBJECT>
>> opens a dialog box "IEXPLORE: ...illegal operation" and closes IE 4.0,
>> or a blue screen with "Fatal exception 0E" and you need to reboot.
>> I don't think this is exploitable(?), but it is a bad "feature".
>
>This is good to know - the only problem is that as an attachment, Georgi also
>appended an actual example of such an OBJECT tag:
>
>> -------------------------------------Cut here: Object.html -------
>> <HTML>
>> Trying to crash IE 4.0
>> <OBJECT CLASSID=111...111111111>
>> </OBJECT>
>> </HTML>
>
>The '...' above being replaced with enough other 1's to do the deed.
>
>Of course, in doing so, my Win95/Eudora 4 Pro (which is configured to use
MSIE
>4.0 as its 'HTML browser') crashed before I could read his message. Crashed
>the whole OS, actually, losing about 3 hours' worth of work.
>
>Now, you could say I have no right to complain, it's my own fault for running
>ripshod software on a crappy OS, and I wouldn't argue.
>
>But I would still like to ask that posters to BugTraq, and other forums,
>refrain from posting actual, "lethal" examples of the mailer bugs they are
>talking about. At this time I'm unaware of any patch for this particular
>problem, other than "use WordPad to read your mail" or "get a real OS".
>
>Thanks.
>
> Brian
>
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>"Common sense is the collection of prejudices | brian@apache.org
>acquired by the age of eighteen." - Einstein | brian@hyperreal.org
>
