[Esd-l] List of what Sanitizer "Sanitizes"

[Smart,Dan]

John:
I was trying to document what exactly your Sanitizer sanitizes as part of my
Sarbanes-Oxley control documentation.  Here's my attempt based on change
logs and code review.  Is this close?

<<Dan>>

Dan Smart
Enterprise Security Specialist
Vulcan Materials Company
Birmingham, AL  USA 

===== John Hardin's Sanitizer Message "Sanitizing" features
======================

HEADERS
1. Sanitize bare CR in message headers (Outlook bug). 
2. Sanitize multiple null addresses (sendmail exploit).
^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notificatio
n|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*<>.*
3. Detect and truncate Subject: headers longer then 250 characters, to
protect Outlook Express users. 
4. Truncate excessively long (>500) standard headers, to address the MS
Outlook header buffer-overflow bug;
(Mime-Version|(Resent-)?(Date|Sender|From|Reply-To)|(errors|disposition-noti
fication|apparently)-to|Message-ID|Return-Path|Status|X-Status|X-Keywords):

FIX MIME
1. Repair malformed MIME boundary strings (e.g. begin with "A--" instead of
"--"). 
2. Filter out odd characters from MIME boundary strings? 
3. Check for a null MIME boundary string and supply one if necessary; this
is a major DoS attack against Microsoft Exchange 
4. Sanitize MIME values that have been explicitly set to null (e.g.
encoding="") - this is a major DoS attack against Microsoft Exchange. 
5. Sanitize double backquotes in MIME headers to prevent remote attacks
against Metamail via the UW Pine MUA

ATTACHMENT HEADERS
1. Mangle CID (Content-ID:) headers to disable IFRAME and related exploits. 
2. Sanitize files with Microsoft Class-ID extensions. 
3. Shorten long file names to less than 120 characters
   a. Collapse runs of spaces in filenames before length-limiting. 
4. Fix double backquotes
5. Fix missing closed quote on filename
6. Fix unquoted filenames
   a. Properly enquote unquoted attachment filenames that have embedded
semicolons.
7. Fix trailing periods and spaces in filename.
8. Catch encoded periods in filenames
9. Fix encoded plain characteris in filename
10. Catch quotes-in-extension attack
11. Remove embedded RFC822 comments
12. strip attachment-only MIME messages. 

URLs
1. Fix URL Spoofing; a.com%01 at b.com
2. Fix URL Obfuscation; a.com at b.com
3. Filter Location with URL; Location: URL:
4. Filter Locaton with File; Location: File:


WEBBUGS
1. Sanitize <IMG> tags
2. Sanitize webbug images in tables. 
3. Sanitize the <BGSOUND> tag for webbugs
4. Santize "BACKGROUND" subtag for webbugs

TAGS
1. Sanitize the <LINK> tag.
2. Sanitize the <LAYER> tag; this is primarily of interest to people running
webmail programs. 
3. Sanitize <STYLE> tags and clauses because they can be used to hide
scripting code. 
4. Detect obscured HTML tags. 
	a. Deal with attempted obscuration of tag options with &# and %
escapes. 
5. Sanitize <TITLE> tags to secure against Netscape's execution of
javascript in the wrong security context. 
6. Sanitize FORM tags (see bugtraq posting
http://www.securityfocus.com/archive/1/359139). 

ACTIVE SCRIPT
1. Sanitize active HTML <SCRIPT> tags
	Defang OnCommands such as OnLoad and other OnCommands.
	Defang script or mocha:
(["\047\075]|url\()([a-z]+script|mocha):
	Defang &{: 		(["\047\075])&{

ENCRYPTION
Disable sanitizing of encrypted/signed messages; 
<<Dan>>

Dan Smart
Enterprise Security Specialist
Vulcan Materials Company
Birmingham, AL  USA