Allow ..... Tags = disarm

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Wed Nov 5 15:07:13 GMT 2003 

> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: Wednesday, November 05, 2003 6:46 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Allow ..... Tags = disarm
>
> Disarming Form Tags
>
> A "Form" tag is replaced with a "MailScannerFormxxxx" tag,
> where xxxx is an
> essentially random number (it's actually the process id). As
> this is an
> HTML tag not recognised by your email client (or web browser)
> it will just
> be ignored completely, as it should be according to the HTML spec.
> An "Input" tag is modified so its type is a "reset" button, and all
> JavaScript "on..." methods are removed.
> A "Button" tag is modified so its type is a "reset" button, and all
> JavaScript "on..." methods are removed.

What's the point of disarming input tags when form tags are taken out?  An
input without a form does nothing.

Changing the type of buttons seems like a very bad idea to me - I can easily
imagine a lot of confusion resulting and it doesn't seem like a useful
change.

> Notes
>
> The point of the xxxx number on the end of each tag name is to protect
> against an attack in which a new XML object or stylesheet
> setting is used
> to create a new tag called "MailScannerForm" which has the
> same actions as
> a conventional "Form" tag.

I would prefer that the changes to the HTML be reversible - this makes that
more difficult.  Wouldn't it be just as useful to prepend
"MailScanner_%orgname%_"?  Seems like that would be enough to defeat the
attack.  And blocking both <script> tags and on* attributes means there's
nothing left that can examine the DOM to figure out the %orgname% string
dynamically.

Although I like the ability to disarm Javascript on* attributes, I'd prefer
they were just disarmed, not removed.  Makes debugging much easier.  Ditto
for codebase attributes.

And although it's great to have this implemented in MS at all (thanks!), I
wish it were just a list of tags I could specify arbitrarily.  For example,
a new config file variable, "Tags To Disarm" could be defined.  It could
contain either a ruleset or a list of tags.  The tags in the list would get
"disarmed" by prepending something like "MailScanner_%orgname_" to them.

More information about the MailScanner mailing list