Detected HTML-specific exploits

Jason Burzenski jburzenski at AMERICANHM.COM
Mon May 17 16:10:51 IST 2004


In case anyone else needs additional ammunition to justify this "blocking
javascript" rule to management, I believe hotmail.com may be actively
blocking messages containing javascript.  The message discussed below could
not be successfully delivered to a hotmail account or hotmail account
designated "spam" folder.

> >I figured as much.  I suppose I was looking for a more specific log
> >entry or that I wanted to validate that this log entry could
> correspond
> >to a script block and was not some other ruleset somewhere that I
> >didn't know about (there is no clear indication of what an
> >HTML-specific exploit is if you are just looking at logs and don't
> >realize it is object codebase, forms, iframes, scripts, etc).
> >
> >I have reviewed the disarm setting and the "not 100% effective"
> >concerns me.  I may use a ruleset to "disarm" from certain
> domains that
> >we need to permit for busines purposes and leave the rest of
> the world
> >set to no.  Has anyone seen any situations where disarm permitted
> >exploit code through?
>
> No-one has broken it yet. But if you know enough XML, it is
> possible to design your own new XML tag that has the same
> effect as the tag you have disarmed.
>
> It's far from trivial, but it is possible. Hence my "no
> guarantees" statement.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040517/6f8ffd39/attachment.html


More information about the MailScanner mailing list