[SPIKELAB-SA] Security mailing lists: xss/css annoyance DoS. :: SpikeLab.org

Blog's control panel: | Home | Tags | Index | Rss 2.0

[SPIKELAB-SA] Security mailing lists: xss/css annoyance DoS.

Thu, 01 Feb 2007 | Permalink | Tags: email, procmail, xss, css, sqlinjection

Look ma, I've exploited 10 lines of php from 1982 that nobody on the Internet has ever even heard of!
Xss/Css/Sql injections meant denial of serviece with death for suffocation, of most of the security/vulnerability related mailing lists.
Honestly.
Since a bit of web security awareness has been developed and people started looking at webapps security, cross-site scripting attacks have been as common as buffer overflows were in the '80s, probably worse. And lots of kids thought they could have their minute of fame posting a SA on bugtraq or full-disclosure (or most likely both, tnx for crossposting!). As a result after digging through spam, removing posts from those 3 or 4 known bad apples, you're left with an avg of 30 web based exploits. a couple are probably worth reading if you deal with those sort of things, as they are about [unfortunately] widespread apps like phpBB, but otherwise it's a lot of wasted time (especially if you're subscribed to 6 or 7 of these lists.
In order to save some time it's easy to setup procmail so those messages are directed to another maildir with a low priority maybe, if you dont want to directly throw those messages away, and let you focus on the real stuff.Example:

:0:
* ^List-Id:.*(bugtraq|full-disclosure).*
* ^Subject:.*(xss|sql inj|cross-site|Cross Site \
			|file inclusion vuln|css|remote file incl \
			|html inj|ajax|guestbook).*
lists/lists.misc.xsssqlinjcss/

That matches messages sent to the bugtraq and full-disclosure mailinst lists whose subject contains one of those word/expressions which most likely indicate a web exploit related post. If that's the case the email is saved in lists/..... The name is invented but I've picked that up to maintain consistency with the naming scheme for my mailinst list directory.I could have matched a list at time and redirected posts to lists.bugtraq.com.xsscss or something, but I considered it as a layer of too much.
It's not obviously perfect, it misses some stuff but it still helps a lot and it costs basically nothing in terms of implementation, so worth doing anyway.
If you want my whole ~/.procmailrc you can download it here
.

You can obviously extend this to anything that annoys you, just extend the list of blacklisted words, but try to not come up with too loose combinations or you'll end up filtering too much stuff. For example I dont really care about windows so I'm redirecting all the messages to a windows dir which I read quite rarely.

SpikeLab.org is a Filippo Spike Morelli copyright 2005-2008
This work is licensed under Creative Commons Att-SA License.