anomy-bugs

Re: Security bug in Anomy HTML Cleaner

From: Bjarni R. Einarsson (25888@xyz.molar.is)
Date: Sat 21 Jun 2003 - 11:41:08 GMT

  • Next message: Holger Kunst: "Sanitizer Hangs"

    On 2003-06-21, 02:55:01 (-0700), Paul Wallingford wrote:
    > The following code sneaks through and does not get defanged. It is
    > valid HTML / XML and renders in the mail reader (Mozilla). This is a
    > security problem because it can be used by attackers to track recipients
    > and possibly download malicious code to the victim's machine. In this
    > message, it may appear on separate lines, but it appeared all on one
    > line in the original message.
    >
    > <img border="0" src="http://www.lunarlandrush.com/images/moon_032303_1.gif"/>

    Are you saying you think all external IMG references should be
    defanged?

    Alot of people would disagree with you! :-) So that behavior is
    configurable:

    The default is to block external references to various "unusual"
    non-http protocols such as hcp:// or smb:// or the various internal
    or javascript (about:, javascript:) URL syntaxes.

    If you also want to block anything e-mail images originating via.
    HTTP or FTP, just set "feat_webbugs = 1". That should do the trick.

    -- 
    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
     25888@xyz.molar.is                -><-              http://bre.klaki.net/
    

    Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 26012@xyz.molar.is

    Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler



    hosted by molar.is