Re: Email sanitizing - requesting advice

[Dan Brosemer <odin@cleannorth.org>]

On Wed, May 23, 2001 at 01:15:35PM -0400, Basham, David wrote:
> Dan:
> 
> Another good resource at
> http://oliver.efri.hr/~crv/security/bugs/Others/webmail4.html

This is a slightly more advanced version of what I was describing (and they
actually did it, as opposed to just realizing it was possible).  They've
figured out that using the <DIV> DHTML tag to move images around is just as
effective as the <LAYER> tag (making more than just Netscape vulnerable),
and that you can create something that works on _any_ webmail provider not
filtering out <LAYER> and <DIV> (does anyone but hushmail and mail.com
filter them?) by using a broken link or clear image.  Sure beats cloning the
look of a specific provider's page.

They don't, however, mention that by crafting the link carefully for the
transparent image, it would be possible for most web-based email providers
to send a message to everyone in your address book a-la the Kornikova worm.
If I wore a different color hat, I just might try it for the
proof-of-conceptness of it.

Now, while <LAYER> is perfectly reasonable to filter out of html documents
at a proxy level (I think the only use of it is MS using it to make sure you
can't access pages very deep into www.microsoft.com with Netscape), <DIV> is
another story.  Removing that makes CSS all but useless... and CSS is
supposed to be a _good_ thing.

Thanks for bringing this up.

-Dan

-- 
"There are two limits that this standard places on the number of
characters in a line. Each line of characters MUST be no more than
998 characters, and SHOULD be no more than 78 characters, excluding
the CRLF."       -- rfc2822 - Internet Message Format