Re: Announcing, revision 1.54

From: Andrew (
Date: Wed 18 Sep 2002 - 14:07:13 GMT

  • Next message: "Re: Announcing, revision 1.54"

    At 11:26am Today Bjarni R. Einarsson wrote:

    > The only change this time is within the HTML cleaner (which has
    > been updated to revision 1.17), adding protection against the
    > hcp:// protocol exploit discussed here:
    > When adding this I realized that there may be quite a few other
    > protocols I should be blocking, so any feedback on what
    > protocols you feel should be allowed in or banned from HTML
    > src= and href= attributes would be most welcome.

    To set the ball rolling, here's the list at the moment:


    If you ban web bugs you also get
            (https? ... I might have missed it)

    (And now hcp, somewhere).

    Here's one you can block without pangs of conscience:

            telnet Windows 2000 telnet attempts NTLM authentication (or at
                    least, it did). Network sniffs can can be fed to a
                    password cracking program.
            about Don't know what this will be doing in mail, and
                    there's some scripting possibilities ..

    And this?

            opera Opera seems to support it's own kind of about
                    thingy you can do opera:cache - I don't know if
                    that's good for anything legitimate.

    BUT! why not just block everything that's not included with the
    message (although that's quite bad too, come to think of it :)

    On an unrelated note, I see that there are a few things that are
    rumoured to be scriptable, some of which get past Anomy's
    sanitizer -- particularly img dynsrc=xxx - selected from an old
    bugtraq post ...

      <input type="image" dynsrc="javascript:[code]"> [IE]
      &{[code]}; [N4]
      <img src=&{[code]};> [N4]
      <img src="mocha:[code]"> [N4]
      <img src="blah"onmouseover="[code]">
      <img src="blah>" onmouseover="[code]">

    The netscape4 stuff is not quite as worrying as the <img
    src="blah>" ... > thing - which could be quite hard to fix.


    hosted by