Detected HTML-specific exploits

[Julian Field]

At 16:17 17/05/2004, you wrote:
>El 17 May 2004 a las 15:02, Julian Field escribió:
>
> > At 14:53 17/05/2004, you wrote:
> >
> > >I figured as much.  I suppose I was looking for a more specific log entry
> > >or that I wanted to validate that this log entry could correspond to a
> > >script block and was not some other ruleset somewhere that I didn't know
> > >about (there is no clear indication of what an HTML-specific exploit is if
> > >you are just looking at logs and don't realize it is object codebase,
> > >forms, iframes, scripts, etc).
> > >
> > >I have reviewed the disarm setting and the "not 100% effective" concerns
> > >me.  I may use a ruleset to "disarm" from certain domains that we need to
> > >permit for busines purposes and leave the rest of the world set to
> > >no.  Has anyone seen any situations where disarm permitted exploit code
> > >through?
> >
> > No-one has broken it yet. But if you know enough XML, it is possible to
> > design your own new XML tag that has the same effect as the tag you have
> > disarmed.
> >
> > It's far from trivial, but it is possible. Hence my "no guarantees" 
> statement.
>
>But this would apply also to the 'complete blocking' of the tag, wouldn't it?
>that is the 'no guarantee' applies to the 'tag identification' rather than
>the 'tag disarming'... or I didn't understand your answer :-)

True, I had overlooked that.
-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html