[Tickets #388] HTML Mime filtering review

Thu Jul 15 18:57:31 PDT 2004

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

-Ticket 388
-Queue: Horde Framework
-Added By: Chuck Hagenbuch <chuck at horde.org>

>From Chuck Hagenbuch <chuck at horde.org> (Thu Jul 15 18:57:30 2004):
I haven't read this in depth yet, but might be worth another HTML MIME
viewer review.

----- Weitergeleitete Nachricht von james.slora at phra.com -----
    Datum: Tue, 13 Jul 2004 15:30:08 -0400
    Von: "James C. Slora, Jr." <james.slora at phra.com>
Antwort an: "James C. Slora, Jr." <james.slora at phra.com>
 Betreff: Find the tag continued
      An: bugtraq at securityfocus.com, Windows NTBugtraq Mailing List
<NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM>

Takeoff from http-equiv's notes about closing >

By design, unprocessable HTML tags and tag parameters are ignored during
parsing. An amazing amount of worthless obfuscating stuff can be
inserted before the closing > of a valid tag, and the parameters for the
tag can be tough to find.

Mail filtering and human review of unwanted stuff like object and iframe
tags might get fooled.

Here is a funnier example of tag obfuscation, plus an odd interactive
rendering of the message. It uses http-equiv's Paul.html for its object
data source. Paste the stuff below into a text file named message.eml
and open it in Outlook Express. Forward it to Outlook for more of the
same fun. Add alternate text for non-html readers, and it could be even
more funny. Mix in some auto-execute silliness to taste. It will already
execute if forwarding while using Word as the email editor.

---> Copy everything below this line <---
Content-Type: text/html;

As part of ongoing security efforts, Big Internet Software Company is
conducting a gullibility test. Forward this to all your friends to see
if they click the link. You will receive twenty dollars from them for
every friend you can fool.<br> <br>This message will now check for your
software's compatibility with this
test.<hemo><poisoning><spamsux><hidden><bury> <object << <img << <html
<<< </body </html

Enlarge your nostrils - she will thank you for it. This is a dull
message designed to distract you from the tag completion down below if
you are a mail administrator who is looking at the source of a spam
message to see if there is anything fishy in it, or if you are a mail
screening program that wants to look for the closing of the object tag
but is only willing to look so far to avoid munching all the CPU time
that is available searching for closing tags.

You can ramble on and on and on yet still remain within the object tag
until you finally come to an &gt; closing element. I wonder what the
limit might be?

Object just goes and goes and goes. You could probably put an
encyclopedia in here.

******************************
Such ridiculous lengths made me wonder if eventually you must overflow a
buffer. But 48MB worth of garbage did not cause any problems - it just
took longer to display.
******************************

Insert additional garbage here ad nauseum.

If you do not wish to receive similar messages in the future, please
send a blank message to
mailto:nostrilenlargement at stickyourfingerinit.com, or use this
unsubscribe link: data=3D"http://www.malware.com/paul.html"
<a HREF="www.widowsupdate.comm">

<br><br>
*********SORRY***********
<br><br>

Your mail client does not support the ActiveX control required to
participate in this test. You may still collect twenty dollars for each
of your friends that clicks.<br><br>

If you do not wish to participate in future tests, <br>please send a
blank message to <br>mailto:nostrilenlargement at stickyourfingerinit.comm,
<br>or use this unsubscribe link:
"http://www.pickledherring.orgg/page.php"

----- Ende der weitergeleiteten Nachricht -----

https://dev.horde.org/horde/whups/details.php?id=388

-- 