Interesting that they're encoding the attack in the useragent string. If that's the case, can you not write a filter that puts the useragent string in a temporary location, clears useragent, executes the necessary system() calls, then swaps it back? Or even better, leave it swapped out, and refer to the swapped location if you need to examine it for things like I.E. vs. FireFox vs. Opera vs. whoever?
That's what would first occur to me, but perhaps I'm being over simplistic. If so, simply tell me. --- Dan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
