Detected HTML-specific exploits

Julian Field mailscanner at ecs.soton.ac.uk
Mon May 17 15:02:31 IST 2004


At 14:53 17/05/2004, you wrote:

>I figured as much.  I suppose I was looking for a more specific log entry
>or that I wanted to validate that this log entry could correspond to a
>script block and was not some other ruleset somewhere that I didn't know
>about (there is no clear indication of what an HTML-specific exploit is if
>you are just looking at logs and don't realize it is object codebase,
>forms, iframes, scripts, etc).
>
>I have reviewed the disarm setting and the "not 100% effective" concerns
>me.  I may use a ruleset to "disarm" from certain domains that we need to
>permit for busines purposes and leave the rest of the world set to
>no.  Has anyone seen any situations where disarm permitted exploit code
>through?

No-one has broken it yet. But if you know enough XML, it is possible to
design your own new XML tag that has the same effect as the tag you have
disarmed.

It's far from trivial, but it is possible. Hence my "no guarantees" statement.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list