Re: Security bug in Anomy HTML Cleaner

From: Bjarni R. Einarsson (
Date: Sat 21 Jun 2003 - 11:41:08 GMT

  • Next message: Holger Kunst: "Sanitizer Hangs"

    On 2003-06-21, 02:55:01 (-0700), Paul Wallingford wrote:
    > The following code sneaks through and does not get defanged. It is
    > valid HTML / XML and renders in the mail reader (Mozilla). This is a
    > security problem because it can be used by attackers to track recipients
    > and possibly download malicious code to the victim's machine. In this
    > message, it may appear on separate lines, but it appeared all on one
    > line in the original message.
    > <img border="0" src=""/>

    Are you saying you think all external IMG references should be

    Alot of people would disagree with you! :-) So that behavior is

    The default is to block external references to various "unusual"
    non-http protocols such as hcp:// or smb:// or the various internal
    or javascript (about:, javascript:) URL syntaxes.

    If you also want to block anything e-mail images originating via.
    HTTP or FTP, just set "feat_webbugs = 1". That should do the trick.

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send lots of mail to:

    Was I helpful? Let others know:

    hosted by