[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40C65D31.9999.61EC74A1@localhost>
Date: Wed, 09 Jun 2004 00:43:29 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: OBJECT Bugs or Features
"James C Slora Jr" <Jim.Slora@...a.com> wrote:
> Two questions about the recent OBJECT tag assault in spam messages:
>
> 1. Should an email client process an OBJECT tag that has no corresponding
> /OBJECT?
> 2. Should an email client process an OBJECT tag that is not even embedded
> within HTML tags?
A more pertinent question to ask first is "What moron would ever design
an Email client that _could_ render 'active content', let alone
configure it to do so by default?". This would be closely followed by
"What morons would elect to use such a product, even if it is the pre-
installed default Email client in the most widely used OS?".
As the answers to these questions have been horribly clear for years,
we should move one though, but before we do, one final suggestion to
make XP SP2 _truly_ worthwhile -- it should uninstall IE and OE, then
randomly select and install other major third-party web browser and
Email client...
Anyway, to answer your specific questions...
It is generally considered "good practice" (as a result of the age-old
stupidity of "be lenient in what you accept", which is a purely anti-
quality and anti-standards position if there ever was one) to assume
that "end of file" represents termination of any paired HTML tags still
open, etc, etc. So, although an example such as that you provided is
not really "correct" (in that it is "incomplete") it would be expected
that a browser would at least attempt to do something with such code.
The answer to your second question is really an extension of the issue
just discussed. The headers of your example Email message quite
clearly claim the message is multipart/alternative and the first part
(with the "incomplete" OBJECT tag) is text/html. Thus, although the
body of that MIME component is not a properly formed, complete HTML
document, the MIME Content-Type: headers provide a fairly strong basis
for the MUA treating that message component as HTML and displaying it
accordingly. Thus, under the "we don't give half a knob of goat sh*t
for quality, predictability or stability" doctrine (aka "be lenient in
what you accept..."), a MUA treating the contents of such a message
component as if the missing "necessary" HTML tags and related
structures were present is "good practice".
<<snip>>
> Many other messages have Object tags that look like this:
>
> ~object =
> data=3D"http://www.=
> 19;ildwincasino=
> .net/page.php=
> ;"~
>
> Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The
> hostile site URL is often obfuscated through ASCII HTML encoding.
Note that you have failed to decode the quoted-printable encoding and
once you do, that final comment makes no sense...
The single "=" at the end of the line means a forced line-wrap for
formatting reasons (i.e. simply remove the "=" char and the
(immediately) following line-break) and the "=3D" is the necessary QP-
encoding of the straight "=" chars in the original message stream
(which must be so encoded to avoid possible ambiguity with QP's special
use of "=" chars).
RFC 1521 etc...
...
Finally, to all those suddenly jumping up and down about this -- where
have you been the last few months? All this stuff has been happening
for months and months. Search your recent older months of spam for
messages with Subject: lines of "YOU WON A FREE VACATION!!!" and
similar (and with slightly different numbers of plings).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists