However On Thu, Dec 11, 2003 at 03:51:17PM -0800, [EMAIL PROTECTED] wrote: > This may be redundant to the existing rule: > 2.4 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname
That rule checks for an %-escape without preceding whitespace. There's a comment from Theo about # Have gotten FPs off this, and whitespace can't be in the host, so... however, it's not uncommon nowadays to have whitespace within the hostname, as part of the user/password field (a different exploit). Now that there is an exploit for this too, it's going to become more common, so I'd think it is worth re-scoring it as something like: uri HTTP_ESCAPED_HOST2 /^https?\:\/\/[^\/]*%[0-9a-fA-F][0-9a-fA-F]/ Would anyone with a corpus and time to check it be willing to suggest a suitable score, against 2.61, for this stricter rule ? Nick ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
