Internet Explorer URL Display problem

Julian Field mailscanner at ecs.soton.ac.uk
Thu Dec 11 15:34:17 GMT 2003


At 15:27 11/12/2003, you wrote:
>%0[0-9] would be better (or something like that).

%[01][0-9a-fA-F]
instead of
%01
perhaps?

I would imagine that the guy who found this exploit tested other characters
too and found them not to be vulnerable. So %01 is probably good enough.

>Or, any obfuscated "unprintable" ASCII code which isn't legitimate.
>I'd hazard a guess that anything other than %20 is dodgy, but I'm no expert.
>
>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Julian Field
> > Sent: 11 December 2003 14:59
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Internet Explorer URL Display problem
> >
> >
> > At 14:22 11/12/2003, you wrote:
> > >On Thu, 11 Dec 2003, Julian Field wrote:
> > >
> > > > What I have done is set the score of the rule to 100, set
> > my high scoring
> > > > threshold to 100, and set the high scoring spam actions
> > to "delete". That
> > > > way the users never knew they were going to get it.
> > >
> > >Julian:  There was a massive overnight discussion about what
> > the "rule"
> > >should be, and I must confess to not having absorbed every
> > last detail or
> > >two (or three or four... thousand).
> > >
> > >Could you summarise the consensus SA rule etc., please?  Thanks.
> >
> > # JKF 11/12/2003
> > # This next rule provides some protection against the latest
> > IE vulnerability
> > uri     IE_VULN                 /%01.*@/
> > score   IE_VULN                 100.0
> > describe        IE_VULN         Internet Explorer vulnerability
> >
> > > > >I will have a look at this - Julian, have you got
> > patches for SA 2.61
> > > > >yet? (The page says to ask for patches for new versions
> > of SA!! ;-)
> > > >
> > > > Not yet, but will do that this afternoon (nearly end of
> > term here so
> > > > actually have my head above water for once!).
> > >
> > >Julian: Could you get the SA folk to include your patches in their
> > >distributions?
> >
> > I've tried before, to no avail.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list