[7591] in bugtraq
Re: Eudora executes (Java) URL
daemon@ATHENA.MIT.EDU (John D. Hardin)
Mon Aug 10 12:09:36 1998
Date: Sat, 8 Aug 1998 01:35:42 -0700
Reply-To: "John D. Hardin" <jhardin@wolfenet.com>
From: "John D. Hardin" <jhardin@WOLFENET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980807150836.23594C-100000@gypsy.rubyriver.com>
On Fri, 7 Aug 1998, John D. Hardin wrote:
> Actually there were rumbles about this on bugtraq as far back as February.
> I remember because it prompted me to add active-HTML tag mangling to my
> procmail filter set.
>
> BTW, just in case you haven't heard yet,
>
> <PLUG TYPE="shameless">
> Drop by http://www.wolfenet.com/~jhardin/procmail-security.html
> </PLUG>
>
> Comments solicited.
In the filter that attempts to sanitize <BODY ONLOAD="exploit"> tags, the
following Perl regular expression occurs:
s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1 DEFANGED-ONLOAD/gi;
Dick St. Peters <stpeters@NetHeaven.com> reports that on SunOS 4.1.3 +
Perl 5.004 this RE never exits, leading to massive system loads when mail
containing HTML is being processed.
I have confirmed it works properly under Linux 2.0.33 + Perl 5.004_01,
SunOS 4.1.4 + Perl 5.004_04 and Alpha OSF/1 V3.0 + Perl 5.004_04.
Can anyone confirm these results?
I have modified the released kit to use a simpler RE by default and offer
this as an alternative after testing.
If anybody else experiences a problem with this RE, either update to the
current kit or delete the offending line from the HTML filter perl script.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
78 days until Daylight Savings Time ends
