[Mimedefang] HTML Exploits
Rob MacGregor
rob.macgregor at gmail.com
Sat May 5 14:48:20 EDT 2007
On 5/5/07, Daniel Aquino <mr.danielaquino at gmail.com> wrote:
> unicode or ascii... the process of reading them should be abstracted
> so that the higher level code has one set of data to read... if a html
> browser can read the js why cant we ?
The trouble is, with UNICODE there are multiple character codes that
produce the same character, even ignoring the case.
On 5/5/07, Daniel Aquino <mr.danielaquino at gmail.com> wrote:
> Well reality is we get lots of emails from companies we resell for...
>
> And lots of things today are HTML based email...
Yeah, I convert all of those to plain text. There's only a very few
that this actually renders unreadable.
> We "have" to support it...
>
> But at the same time we "have" to secure it...
Ah, so what you're saying is that you're doomed :)
> It's not good enough to depend on a dumb user to use the text view...
So lock it down so that they can't change it from the text view.
> When they get infected, everyone can get infected!!!
Correct, but if you expect to achieve 100% security then you're in for
a nasty surprise. As David said, you have to allow for client side
bugs that mean that non-standard behaviour results.
You may get some value from HTML::Sanitizer, but you need to put as
much protection as possible at each link (that is, don't forget the
desktop, and educating the users). You probably also want to only
allow HTML emails inbound from specific domains.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
More information about the MIMEDefang
mailing list