Allow ..... Tags = disarm

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 5 11:46:08 GMT 2003


Just to provide you all with more detail on exactly how this feature works,
here is a bit of a description. If, from this, you think I have done
something badly wrong, then please tell me.

Disarming Form Tags

A "Form" tag is replaced with a "MailScannerFormxxxx" tag, where xxxx is an
essentially random number (it's actually the process id). As this is an
HTML tag not recognised by your email client (or web browser) it will just
be ignored completely, as it should be according to the HTML spec.
An "Input" tag is modified so its type is a "reset" button, and all
JavaScript "on..." methods are removed.
A "Button" tag is modified so its type is a "reset" button, and all
JavaScript "on..." methods are removed.

Disarming Object Codebase Tags

An "object" tag which has an attribute called "codebase" will be replaced
with a "MailScannerObjectxxxx" tag, just like the "Form" tag above.

Disarming IFrame Tags

Again, an "iframe" tag will be replaced with a "MailScannerIFramexxxx" tag.

Notes

The point of the xxxx number on the end of each tag name is to protect
against an attack in which a new XML object or stylesheet setting is used
to create a new tag called "MailScannerForm" which has the same actions as
a conventional "Form" tag. By putting the number on the end, I am
protecting against this by insisting that the malicious email author must
at least create a new tag for each possible value of xxxx. This is at least
65500 combinations or so. On nice systems the PID is a 32-bit number which
makes the attack a whole lot harder. I could have used a real random
number, which I will change to if you think it is worth doing. But then
I've got to properly seed the random number generator or else it will
create a predictable sequence of values which is easier to attack than just
using the PID.

Ignore upper and lowercase in any of my tag names above, it is of course
case-insensitive.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654



More information about the MailScanner mailing list