Tim,
yes... I might implement your approach if we start getting too
many false positives. I'd refine it a bit though, at least like
this
/http:\/\/\S*(%3c|<)(s|%53|%73)(c|%43|%63)(r|%52|%72)(i|%49|%69)(p|%50|%70)(t|%54|%74)(%20|\+)(l|%4c|%6c)(a|%41|%61)(n|%4e|%6e)(g|%47|%67)/i
but then I'm not sure whether there may be other ways for invoking
javascript from an URL.
-- Norbert.
Tim Pierce <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 01, 2001 at 01:00:40AM +0200, Norbert Bollow wrote:
> > Here is a new type of possible malware that is not stopped by
> > standard demime/attachment stripping.
> >
> > I have just added a check for the regular expression
> >
> > /https?:\S*(%3a|\:)(%2f|\/)(%2f|\/)/i
>
> I would probably use this instead:
>
> http://\S*(%3c|<)script(%20|\+)language
>
> Legitimate redirector URLs will include strings like %2F%2F.
> URL-escaped code for invoking JavaScript is much less likely to
> appear inside a benign message.
>
