RE: [SAtalk] Need a rule for IE Exploit

Thu, 11 Dec 2003 16:55:09 -0800 

This may be redundant to the existing rule:
2.4 HTTP_ESCAPED_HOST      URI: Uses %-escapes inside a URL's hostname

> -----Original Message-----
> From: Larry Gilson [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 11, 2003 11:47 AM
> To: 'Fred'; Spamassassin-Talk (E-mail)
> Subject: RE: [SAtalk] Need a rule for IE Exploit
> 
> 
> 
> 
> > -----Original Message-----
> > From: Fred
> > 
> > Hello,
> > I am out the door on my way to work but we need a rule for a 
> > new IE exploit just released, Visit this page, the exploit is 
> > harmless but to the spoofer, it's man's best friend.
> > 
> > http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> > I think this should be put in the next SA release!!
> 
> 
> I am not the best at this but here is my crack at it:
> 
> describe MY_URI_IEEXPLOIT MY: IE Exploit
> uri      MY_URI_IEEXPLOIT /https?:\/\/(\w+\-?\.?)+\W@/i 
> score    MY_URI_IEEXPLOIT 4.0
> 
> 
> 
> Or maybe:
> 
> uri MY_URI_IEEXPLOIT /https?:\/\/.*\%(?:[0-1][0-1a-f]|7f)@/i 
> That includes non-existing %11 but it is clean.
> 
> 
> 
> Or combined:
> uri MY_URI_IEEXPLT /https?:\/\/(\w+\-?\.?)+\%(?:[0-1][0-1a-f]|7f)@/i 
> 
> 
> --Larry
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to