Detected HTML-specific exploits

Mariano Absatz mailscanner at LISTS.COM.AR
Mon May 17 16:17:10 IST 2004


El 17 May 2004 a las 15:02, Julian Field escribió:

> At 14:53 17/05/2004, you wrote:
> 
> >I figured as much.  I suppose I was looking for a more specific log entry
> >or that I wanted to validate that this log entry could correspond to a
> >script block and was not some other ruleset somewhere that I didn't know
> >about (there is no clear indication of what an HTML-specific exploit is if
> >you are just looking at logs and don't realize it is object codebase,
> >forms, iframes, scripts, etc).
> >
> >I have reviewed the disarm setting and the "not 100% effective" concerns
> >me.  I may use a ruleset to "disarm" from certain domains that we need to
> >permit for busines purposes and leave the rest of the world set to
> >no.  Has anyone seen any situations where disarm permitted exploit code
> >through?
> 
> No-one has broken it yet. But if you know enough XML, it is possible to
> design your own new XML tag that has the same effect as the tag you have
> disarmed.
> 
> It's far from trivial, but it is possible. Hence my "no guarantees" statement.

But this would apply also to the 'complete blocking' of the tag, wouldn't it? 
that is the 'no guarantee' applies to the 'tag identification' rather than 
the 'tag disarming'... or I didn't understand your answer :-)

Regards.

--
Mariano Absatz
El Baby
----------------------------------------------------------
Make it idiot proof and someone will make a better idiot.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list