[Mimedefang] HTML Exploits
Rob MacGregor
rob.macgregor at gmail.com
Fri May 4 19:36:24 EDT 2007
On 5/4/07, Daniel Aquino <mr.danielaquino at gmail.com> wrote:
<---SNIP--->
> And really if you just remove all ScriptTags and get rid of any Event
> Handlers, than that should clean the html no?
Yes, in theory, but what about UNICODE...? That makes it *much*
harder to trivially strip such things.
> I'm sure with all the perl html soup crawling libraries out there
> something could be thrown together!
I'd be surprised if somebody hasn't (actually, I'd be surprised if a
few dozen people haven't come up with different ways). The question
is how thorough is their code? Will it simply catch ASCII or any of
the dozens (if not hundreds) of ways of abusing UNICODE, or will it
mangle emails that simply have <script> in them (like this one)?
> Maybe outlook could be configured to stop JS from being executed ?
That's why I said to use the Plain Text view option that's been in
Outlook since at least Outlook 2003 :) It certainly seems to do the
trick.
Personally, I strip all redundant HTML parts from incoming emails AND
have Outlook configured to view all emails as plain text only, plus
rebuild anything that gets a spam hit above a certain level (and have
my SA rules set so that anything that's HTML only is guaranteed a
rebuild).
The downside is that the action_rebuild doesn't seem to take effect
until after MD has done it's processing (though I may be wrong), which
means that local scanners don't benefit from it. I do have a further
scanner however that does benefit from this.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
More information about the MIMEDefang
mailing list