[7615] in bugtraq
Re: Eudora executes (Java) URL
daemon@ATHENA.MIT.EDU (Vitiello, Eric (BHS))
Tue Aug 11 17:48:45 1998
Date: Tue, 11 Aug 1998 15:58:03 -0400
Reply-To: "Vitiello, Eric (BHS)" <Evitiello@BHSI.COM>
From: "Vitiello, Eric (BHS)" <Evitiello@BHSI.COM>
To: BUGTRAQ@NETSPACE.ORG
> [From an anti-mail-exploit-procmail-filter-perl-script (see
> http://www.wolfenet.com/~jhardin/procmail-security.html):]
> > s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1
> DEFANGED-ONLOAD/gi;
>
> This Pattern will catch lines like
> <body onload="badthings()">
> converted to
> <BODY DEFANGED-ONLOAD="badthings()">
> but not
> <body onload="badthings()" onload="badthings()">
> converted to
> <BODY onload="badthings()" DEFANGED-ONLOAD="badthings()">]
> So one onload=... will stay and act.
>
> Also things like < body ... > wont be catched. I dont know if
> those are
> leading spaces are proper HTML, but even if not, one should
> not suppose
> every bad HTML to be rejected.
The following can Fix all of that:
s/<\s+BODY\s+((([^">]+("(\\.|[^"])*")?)*)ONLOAD)*?\s+/<BODY $1
DEFANGED-ONLOAD/gi;
Eric Vitiello
Webmaster^2, Baptist Healthcare System
www.bhsi.com www.westernbaptist.com
www.baptisteast.com www.centralbap.com
