Threaded Mode | Linear Mode

***Kye-U*** · Jul. 23, 2004, 01:33 AM

Got it, will do that next time Wink

***ProxRocks*** · Jul. 23, 2004, 01:53 AM

Cool! Thanks... I guess I'm just "funny like that"...

Siamesecat · Jul. 23, 2004, 09:47 AM

The exception in Stop Browser Window Tricks is supposed to be "ciclops", not "cyclops". It stands for "Cassini Imaging Central Laboratory for Operations". The Cassini spacecraft has now reached Saturn and gone into orbit.

Peakaboo · Jul. 25, 2004, 08:55 PM

Hi Kye,

Good job on this filter set.

I'm sure you are taking a much needed break. Also recuperation from what I read.

I played with v 4.13 a little and actually for the filters I'm using my initial tests show that 4.12 is faster.

To give you a feel for the filters I'm using, I excluded all IE filters and concentrated on alternative Browser filters, and generic vulnerabilities (7 web and 3 header filters.

Just wondering if anyone else noticed a decrease in speed in going from 4.12 to 4.13.

Kye - according to superstition version 13 for anything should be skipped Wink

I'm kidding of course about 13 but not about my initial speed observations comparing the 2 versions.

Also Kye if you get a chance take a look here:

http://www.kephyr.com/popupkillertest/test/index.html

test #12 can you add something to your filter pack that will take care of that for Opera? I tried adding the dimensions of the popup to ad dimension filter but either I did not know what I was doing or there is something else going on which allows popup persistence on this test.

***Kye-U*** · Jul. 25, 2004, 10:31 PM

Hey Peakaboo! Glad to see you joined Welcome

Try:

Code:

[Patterns]

Name = "Remove Layered Pop-Up Window [Kye-U]"

Active = TRUE

URL = "$TYPE(htm)"

Bounds = "$NEST(<script,</script>)"

Limit = 1024

Match = "*showHideLayers*"

Replace = "<strong>Layered Pop-Up Window Removed</strong>"

I'm not sure if I should include this in my pack... haha...

Peakaboo · Jul. 25, 2004, 11:17 PM

Kye, Thank you for the nice welcome.

Appreciate the filter help, when invoked it matches but can not stop that popup. I even invoked the Kill popup window standard filter and Opera's pref to refuse all popups. I still get that window popup.

Not a big deal. Appreciate your help on this. No need to spend anymore time on this. I thought whatever persistent method they were using might be an interesting potential angle of exploit.

here are the matches on the filters I used:

<start> 923: Kill pop-up windows
<start> 923: Kill Dynamic HTML JavaScripts
Match 923: Remove Layered Pop-Up Window [Kye-U]
BlockList 923: in AdPaths, line 42
Match 923: Kill: Banners (linked)
Match 923: Disable JavaScript
Match 923: Disable JavaScript

On a different note, just wanted to say I like Siamesecat filters especially the browser tricks. I change URL match from "^cyclops" to ^ciclops per the above post.

Take it easy Wink

***Kye-U*** · Jul. 26, 2004, 06:06 AM

Version 4.14

Last Updated: July 26, 2004 - 2:04 AM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

-Modified (Stop Browser Window Tricks [Siamesecat])
--Added Hotmail to the URL Match (to Bypass)

-Modified (IE: %USERPROFILE% File Execution Exploit [Kye-U])
--Fixed false positive

-Modified (IE: Search/Media-Pane Injection Exploit [Kye-U])
--Added Arne's Proxomitron Forum (http://asp.flaaten.dk/proxo/) to the URL Match (to Bypass)

***Arne*** · Jul. 26, 2004, 10:06 AM

Nice filter set!
Now I know what to read tonight. (I am a bit odd since I like to read filters as bed time stories [smoke] )

Arne

Siamesecat · Jul. 27, 2004, 10:08 PM

I just had a notion about adding further spoof-proofing to those filters where the end tag is specified.
I have seen pages where anchors were terminated with line breaks instead of end anchor tags. If someone wanted a spoof to evade filtering, such a person might end an anchor with a line break. Internet Explorer tolerates code like this (but Mozilla browsers do not).
I am not sure how many tags can be terminated this way without causing IE problems. I have only seen it with anchors.

Code:

Name = "IE: Status Bar Spoof Exploit [Kye-U]"

Bounds = "$NEST(<a*>,<(/a|br)>)"

Name = "IE+XP: Kill HCP Links"

Bounds = "$NEST(<a(rea|),<(/a(rea|)|br)>)"

Would fix the sloppy/evasive code problem.

***Kye-U*** · Jul. 28, 2004, 12:07 AM

Thanks! I will include that in version 4.15. Eyes Closed Smile

***Kye-U*** · Jul. 28, 2004, 08:48 PM

Siamese, another false positive with your filter: Prevent File Access.

Here is the false positive:

Code:

<a class="button" href='opera:/button/Enable javascript,,,,"Checkbox Skin" |Disable javascript,,,,"Checkbox Skin.Selected"' title="Javascript">

The section in question is opera:/ where the filter looks at the ...a:/ part as a file access attempt.

***ProxRocks*** · Jul. 28, 2004, 09:00 PM

Correct me if I am mistaken, but wasn't the file access exploit in IE fixed back in version 5.5?

Siamesecat · Jul. 29, 2004, 07:43 AM

Quote:wasn't the file access exploit in IE fixed back in version 5.5?

Which one? There are lots of attempted accesses to files on hard (or other) drives. I feel better knowing that such an attempt is very unlikely to succeed with that filter in place.

Siamesecat · Jul. 29, 2004, 08:01 AM

Quote:Here is the false positive:

CODE
<a class="button" href='opera:/button/Enable

You could remove drive a: from the list. How often do you browse with a floppy in the drive, anyway?

***Kye-U*** · Jul. 29, 2004, 08:40 PM

Version 4.15

Last Updated: July 29, 2004 - 4:39 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

-Modified (Stop Browser Window Tricks [Siamesecat])
--Added Hotmail to the URL Match (to Bypass)

-Modified (IE: %USERPROFILE% File Execution Exploit [Kye-U])
--Fixed false positive

-Modified (IE: Search/Media-Pane Injection Exploit [Kye-U])
--Added Arne's Proxomitron Forum (http://asp.flaaten.dk/proxo/) to the URL Match (to Bypass)