@ lbutlr:
> On 12/4/16 8:17 AM, Wietse Venema wrote:
> > @ lbutlr:
> >> On 12/3/16 2:57 PM, Wietse Venema wrote:
> >>> Proof of concept:
> >>>
> >>> MAIL FROM<"<script
> >>> type='text/javascript'>alert('xss');</script>"@example.com>
> >>
> >> That result in "501 5.5.4 Syntax: MAIL FROM:<address>"
> >
> > OK, so insert a the missing ':'
> >
> > MAIL FROM:"<script
> > type='text/javascript'>alert('xss');</script>"@example.com>
> > 250 2.1.0 Ok
>
> Fair enough. But the script strips out < and > (and [] and ,), so I'm
> still not seeing an issue.
>
> bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep
> -v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from=<//' |
> tr -d '>,[]:' | grep -v rejected
>
> I guess the sed only strips the enclosing <, so spurious opening
> brakcets could be left behind, but the tr -d will take out all the
> closing >'s. I've added '<' to the tr list just in case, so no <> from
> the log file will remain.
Good. I think that we have now agreement that some logfile content
is under control by untrusted users.
Wietse
