Threaded Mode | Linear Mode

Siamesecat · Jul. 18, 2004, 10:00 PM

Code:

Name = "IE: Local Zone Access Exploit [Kye-U]"

Match = "*(///((:)+{1,3})|((((/)+{3,*})|((\\)+{3,*}))))*"

Is this another case of the "parenthesis vs. bracket" problem?
( Smile!

instead of [:] and (/) instead of [/] and (\\) instead of [\\]
Incidentally, can one do a match for multiples of more than one character that way?
Are all those parentheses in that expression necessary? They don't look quite right to me.

Jaded_Goth · Jul. 18, 2004, 10:12 PM

Siamesecat,how about writing a filter set?

Reckon a "Siamesecat config" would be as cool as beans.Don't go hiding your light under a bushel.

Siamesecat · Jul. 18, 2004, 11:41 PM

First, please ignore the question about matching multiples in the previous message. I wasn't thinking about the escape of the backslash!

Second:

Code:

Name = "Opera: Large Javascript Handling Exploit [Kye-U]"

Match = "*Array\(((9)+{5,*}|0x23((0)+{3,*}))\)*"

Another () instead of [] problem: [9] &[0].

Third:

Code:

Name = "Restricted Cookie Bypass Exploit [Kye-U]"

Match = "\0://\1/*/((%([a-f][0-9]|[0-9][a-f]))+{2,*})*\?*\=*"

Just out of curiosity, which hexadecimal codes are you looking for here?
It would match % followed by A-F followed by 0-9, or % followed by 0-9 followed by A-F (eg. %B4 or %3D). It would not match %40 or %CF. To match two or more 2-digit hexadecimal codes, you could use

Code:

([%][0-9a-f][0-9a-f])+{2,*}

Was the intention to find 2 or more hex bytes or to find a hex number of 4 to an infinite even number of digits? If the latter, use

Code:

%([0-9a-f][0-9a-f])+{2,*}

Except for the number of digit groups, the same thing applies to:
"IE: Classic Folder View Exploit [Kye-U]"

***Kye-U*** · Jul. 19, 2004, 02:17 AM

Version 4.08 is now released.

Last Updated: July 18, 2004 - 10:15 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

What's New?

-Modified (Opera: Large Javascript Handling Exploit [Kye-U])
--Slight fix in the matching section ("()" to "[]"

-Modified (Restricted Cookie Bypass Exploit [Kye-U])
--Fix in the Hexadecimal code (Matching)

-Modified (IE: Classic Folder View Exploit [Kye-U])
--Fix in the Hexadecimal code (Matching)

***Kye-U*** · Jul. 19, 2004, 02:18 AM

Thank you Siamesecat for being my Editor Eyes Closed Smile

***Kye-U*** · Jul. 19, 2004, 07:19 AM

Last Updated: July 19, 2004 - 3:17 PM EST

Version 4.09

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Added Version(s) Vulnerable in Descriptions

-Modified most of the filters' URL Match $TYPE() information to possibly decrease CPU load

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Made the match a little more detailed

-Renamed (Mozilla: 0-Width GIF Exploit [Kye-U]) to (0-Width GIF Exploit [Kye-U])
--Applied to multiple browsers

-Renamed (Mozilla: Javascript Exploit [Kye-U]) to (Javascript Location Exploit [Kye-U])
--Applied to multiple browsers

Siamesecat · Jul. 19, 2004, 07:34 AM

Quote: Siamesecat,how about writing a filter set?

Jaded Goth,
I have my own customized set of filters which are a conglomeration of original default.cfg with changes to some of the filters, plus some I wrote, plus some I collected from other places. I don't know that they are particularly remarkable (but they work for me). I could supply a few of the filters which I have found especially useful, and which I wrote. Oddysey did admire my set of page background modification filters, which have evolved since I last posted them.
I found it advisable to create a separate set of filters for Internet Explorer because the filtering requirements differ between that and Firefox. So, if I am ever forced to start using IE again, I am prepared.

Siamesecat · Jul. 19, 2004, 07:45 AM

Quote: Thank you Siamesecat for being my Editor

Kye-U,
You're welcome. I am learning quite a bit about the use of Prox code by reading the filters.

***Kye-U*** · Jul. 19, 2004, 07:50 AM

Here is the new Read Me file that will be included in every new release. Tell me if you like it, and if it needs any revisions.

Attachment updated: http://prxbx.com/forums/index.ph...topic=131&st=0#

I too am learning a lot about Filter Writing... Smile!

Siamesecat · Jul. 19, 2004, 07:51 AM

Kye-U,
Why did you remove the mergeme zip file? It is easier to load the filters that way.

***Kye-U*** · Jul. 19, 2004, 07:52 AM

Siamesecat Wrote:Kye-U,
Why did you remove the mergeme zip file? It is easier to load the filters that way.

I've uploaded it again.

Firefox was acting funky while K-Meleon is as smooth as smooth can be...strange...maybe I'll permanently switch to K-Meleon...

Siamesecat · Jul. 19, 2004, 08:12 AM

Code:

Name = "IE: Local Zone Access Exploit [Kye-U]"

Match = "*(///([:]+{1,3})|(([/]+{3,*})|([\\]+{3,*})))*"

Would this not be better than:

Code:

Match = "*(///((:)+{1,3})|((((/)+{3,*})|((\\)+{3,*}))))*"

??

***ProxRocks*** · Jul. 19, 2004, 11:18 AM

Jaded_Goth Wrote:Siamesecat,how about writing a filter set?

Reckon a "Siamesecat config" would be as cool as beans.Don't go hiding your light under a bushel.

No offense, but I have to disagree...

Movie critics do not write movies...
Book critics do not write books (with the exception, of course, of Edgar Allan Poe)...

Jaded_Goth · Jul. 19, 2004, 01:08 PM

Siamesecat Wrote:I have my own customized set of filters which are a conglomeration of original default.cfg with changes to some of the filters, plus some I wrote, plus some I collected from other places. I don't know that they are particularly remarkable (but they work for me). I could supply a few of the filters which I have found especially useful, and which I wrote.

Since I seem to be the self-annointed forum test-pilot,I'd love to give them a spin,Siamese Cat.

ProxRocks,this is supposed to be the Proxomitron Community.Why not encourage each other to be the best we can?

In my opinion,a person with the ability to examine codes and say:"Hold on a moment-why do X?Wouldn't Y work better?." is an asset.

Let's steer away from labeling eachother as this or that.It's repressive.It's not for me to judge the capabilities of others.

How is anyone supposed to develop as a software writer (of any description) without feedback or having people who are willing to test on their computers?

Be prepared for the Edgar Allan Poe of filter sets to come up and shake your hand,one of these days..

***ProxRocks*** · Jul. 19, 2004, 01:31 PM

lol... nothing 'repressive' was intended - even S'cat dodged your question by noting her compilation-of-a-config...

and to be honest, the primary reason for my comment is that I have considered "going public" with a config of my own...

for several reasons, actually - the main ones being -
1) JD has dropped off the face of the earth...
2) to alleviate a portion of the burden placed upon sidki...

but consider the task at hand to release a public config -
Kye-U's collection has only a SMALL handful of filters...
Kye-U's initial release pointed out that the SMALL handful took FOUR hours of his time...
The magnifying glass upon the collection has occupied 70 TIMES that of Kye-U's time...
And the SMALL handful seems to be getting updated 2 or 3 times PER day - very hard to keep up with...

If I hadn't witnessed the critiquing of the Kye-U collection, I "might" have released a public config...

But until that collection was released, I had not realized that a public config was a FULL TIME JOB...

I certainly applaud any efforts within the Proxo community that alleviates burden off our sole provider (or shall I make that "soul provider"?)...

sidki's config is AWESOME - I know that "my" set could not "compete" with it, but I certainly do NOT want to see him dropping off the face of the earth like JD seems to have done...