[Snort-users] ACID Incident Report escapes emails

Michael Scheidell scheidell at ...3799...
Mon Oct 22 08:49:07 EDT 2001


on the acid display screen, it has to 'escape' the ampersand so that it
can be displayed correctly on the html browser

However, when it emails a 'full report' it still escapes the ampersand,
making the ascii data a little difficult to read.

example:

the data is this&that

html script HAS to do: this&that so that this&that is displayed on
screen, however, when thhe email is send via acid, it should not escape
the ampersand:


(and, yes, this was some luser at aldelpha searching for open web form mail
scripts, using it to send it back to itself at aol  to collect holes to spam
from)

Michael Scheidell

> --
> #(5 - 42754) [2001-10-22 04:35:57] [Bugtraq/1187] [CVE/CVE-1999-0172]
> [arachNIDS/226]  WEB-CGI formmail access
> IPv4: 24.51.65.183 -> xx.xx.xx.xxxx
>       hlen=5 TOS=0 dlen=478 ID=50070 flags=0 offset=0 TTL=113 chksum=57049
> TCP:  port=21039 -> dport: 80  flags=***AP*** seq=4199629098
>       ack=3611075816 off=5 res=0 win=17520 urp=0 chksum=53227
> Payload:  length = 438
>
> 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F 72   GET /cgi-bin/for
> 010 : 6D 6D 61 69 6C 2E 70 6C 3F 65 6D 61 69 6C 3D 63   mmail.pl?email=c
> 020 : 78 74 31 34 40 6D 6B 65 34 31 2E 63 6F 6D 26 72
xt14 at ...3886...&r
> 030 : 65 63 69 70 69 65 6E 74 3D 70 77 73 38 38 38 40   ecipient=pws888@
> 040 : 61 6F 6C 2E 63 6F 6D 26 73 75 62 6A 65 63 74 3D
aol.com&subject=
> 050 : 68 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63   http://xxxxxxx.c
> 060 : 6F 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D   om/cgi-bin/formm
> 070 : 61 69 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25   ail.pl%20%20%20%
> 080 : 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32   20%20%20%20%20%2
> 090 : 30 25 32 30 35 39 6C 6F 35 39 26 3D 25 30 44 25
0%2059lo59&=%0D%
> 0a0 : 30 41 25 30 44 25 30 41 74 69 6D 65 2F 64 61 74   0A%0D%0Atime/dat
> 0b0 : 65 3A 25 32 30 30 34 3A 33 39 3A 33 36 61 6D 25   e:%2004:39:36am%
> 0c0 : 32 30 2F 25 32 30 31 30 2F 32 32 2F 32 30 30 31   20/%2010/22/2001
> 0d0 : 25 30 44 25 30 41 3C 41 25 32 30 48 52 45 46 25
%0D%0A<A%20HREF%
> 0e0 : 33 44 25 32 32 68 74 74 70 3A 2F 2F 63 75 72 61   3D%22http://xxxx
> 0f0 : 67 65 6E 2E 63 6F 6D 2F 63 67 69 2D 62 69 6E 2F   xxx.com/cgi-bin/
> 100 : 66 6F 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 68
formmail.pl%22>h
> 110 : 74 74 70 3A 2F 2F 63 75 72 61 67 65 6E 2E 63 6F   ttp://xxxxxxx.co
> 120 : 6D 2F 63 67 69 2D 62 69 6E 2F 66 6F 72 6D 6D 61   m/cgi-bin/formma
> 130 : 69 6C 2E 70 6C 3C 2F 41 3E 25 30 44 25 30 41 25
il.pl</A>%0D%0A%
> 140 : 30 44 25 30 41 35 39 6C 6F 35 39 25 32 30 7E 76   0D%0A59lo59%20~v
> 150 : 6D 73 20 48 54 54 50 2F 31 2E 30 0D 0A 43 61 63   ms HTTP/1.0..Cac
> 160 : 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43   he-Control: No-C
> 170 : 61 63 68 65 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E   ache..Proxy-Conn
> 180 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69   ection: Keep-Ali
> 190 : 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D   ve..Accept: */*.
> 1a0 : 0A 48 4F 53 54 3A 20 63 75 72 61 67 65 6E 2E 63   .HOST: xxxxxxx.c
> 1b0 : 6F 6D 0D 0A 0D 0A                                 om....
>
> LEGAL NOTICE - Unless expressly stated otherwise, this message is
> confidential and may be privileged. It is intended for the addressee(s)
> only. Access to this e-mail by anyone else is unauthorized. If you are not
> an addressee, any disclosure or copying of the contents or any action
taken
> (or not taken) in reliance on it is unauthorized and may be unlawful. If
you
> are not an addressee, please inform the sender immediately.
>





More information about the Snort-users mailing list