Found dangerous Object Codebase tag...

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Tue Aug 12 19:38:31 IST 2003 

I'm *sure* others on this list are more qualified to answer that question
than I, but here's some background info:
http://www.w3.org/TR/REC-html40/struct/objects.html

...and it looks like you can specify an object of any mime type.  The
codebase attribute seems analogous to the html tag "baseref" - ie it just
sets the parent path for use with relative urls - so it doesn't seem to
necessarily imply that the object being loaded is actual code (for instance
a jpg could also have a codebase attribute, though that seems an unlikely
usage).  Java counts, not sure about javascript.  You can also have code
loaded by an object tag without the codebase attribute though, so this
doesn't really protect against loading Java...

Perhaps the motivation for treating object tags with codebase attributes
specially is a result of a specific bug, rather than just the general idea
of using the object tag as I implied earlier.

Fyi, the code that handles this is in the SweepContent.pm module.

HTH,
Trever


> -----Original Message-----
> From: Kevin Miller [mailto:Kevin_Miller at CI.JUNEAU.AK.US]
> Sent: Tuesday, August 12, 2003 12:17 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Found dangerous Object Codebase tag...
>
>
> Can you give an example?  Would java or JavaScript count?  Is
> this typically
> tracking mechanisms, with some malevolency thrown in by the
> odd miscreant?
>
> Also, if I change MS to strip out the code, do html messages come in
> butt-ugly or are they still pretty much intact and functional?
>
> As always, much appreciated...
>
> ...Kevin
> -------------------
> Kevin Miller                Registered Linux User No: 307357
> CBJ MIS Dept.               Network Systems Administrator, Mail
> Administrator
> 155 South Seward Street     ph: (907) 586-0242
> Juneau, Alaska 99801        fax: (907 586-4500
>
>
> >-----Original Message-----
> >From: Furnish, Trever G [mailto:TGFurnish at HERFF-JONES.COM]
> >Sent: Tuesday, August 12, 2003 9:09 AM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Found dangerous Object Codebase tag...
> >
> >
> >An HTML tag that causes a browser to load programming code
> >when the page is
> >viewed.  Some mail filtering systems "defang" such tags by
> >changing them to
> >something safe, which usually leaves the rest of the message
> completely
> >readable, but I don't think (and will hopefully be corrected
> >if I'm wrong)
> >that MS yet can be made to do that.
> >
> >Actually, are there any plans (or does anyone have a
> >suggestion for the best
> >way to) allow using such "defanging" functionality in MS?  In
> >a past life I
> >used a procmail script
> >(http://www.impsec.org/email-tools/procmail-security.html) that would
> >prepend DEFANGED to the start of tags considered dangerous.
> >It was nice
> >functionality, even if only for all the anger it engendered in
> >the web dev
> >department. :-)
> >
> >-t.
> >
> >
> >> -----Original Message-----
> >> From: Kevin Miller [mailto:Kevin_Miller at CI.JUNEAU.AK.US]
> >> Sent: Tuesday, August 12, 2003 11:41 AM
> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> Subject: Found dangerous Object Codebase tag...
> >>
> >>
> >> Can someone please tell me what an object codebase tag is and
> >> why they're
> >> dangerous?  I get reports like the following pretty
> >> regularly; most are
> >> probably spam, but I think this one is legitimate.
> >> Dreadfully boring IMHO,
> >> but legitimate. <g>
> >>
> >> I can whitelist this one, but would be chuffed to know what's
> >> actually going
> >> on here.
> >>
> >> --------------------------------------------------------------
> >> ----------
> >> The following e-mail messages were found to have viruses in them:
> >>
> >>     Sender:
> >> calandrastockwatch-html-return-18-bosco_beancounter=ci.juneau.
> >> ak.us at mail2.ma
> >> rketwatchmail.com
> >> IP Address: 63.240.173.124
> >>  Recipient: bosco_beancounter at ci.juneau.ak.us
> >>    Subject: Thom Calandra's StockWatch: Miners rush to
> >> finance ventures as
> >> bullion gains steam
> >>  MessageID: h7BGiwJ7001861
> >>     Report: Found dangerous Object Codebase tag in HTML message
> >> --------------------------------------------------------------
> >> ----------
> >>
> >> TIA...
> >>
> >> ...Kevin
> >> -------------------
> >> Kevin Miller                Registered Linux User No: 307357
> >> CBJ MIS Dept.               Network Systems Administrator, Mail
> >> Administrator
> >> 155 South Seward Street     ph: (907) 586-0242
> >> Juneau, Alaska 99801        fax: (907 586-4500
> >>
> >
>

More information about the MailScanner mailing list