On 12/4/16 8:17 AM, Wietse Venema wrote:
@ lbutlr:
On 12/3/16 2:57 PM, Wietse Venema wrote:
Proof of concept:
MAIL FROM<"<script type='text/javascript'>alert('xss');</script>"@example.com>
That result in "501 5.5.4 Syntax: MAIL FROM:<address>"
OK, so insert a the missing ':'
MAIL FROM:"<script type='text/javascript'>alert('xss');</script>"@example.com>
250 2.1.0 Ok
Fair enough. But the script strips out < and > (and [] and ,), so I'm
still not seeing an issue.
bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep
-v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from=<//' |
tr -d '>,[]:' | grep -v rejected
I guess the sed only strips the enclosing <, so spurious opening
brakcets could be left behind, but the tr -d will take out all the
closing >'s. I've added '<' to the tr list just in case, so no <> from
the log file will remain.
