Browser Security Pack
|
Sep. 08, 2005, 07:34 AM
Post: #331
|
|||
|
|||
I have some questions about this filter:
Code: In = FALSE To shorten the match line slightly, why not reword "Connection to Suspicious Extension" to "URL with Suspicious Extension"? Why have both a confirmation box and an alert box? If one answers no to the question, one would expect the connection to be killed, so why bother with the alert message? What are the values of \1 and \3 if the response is yes? In the extension list, why block .pcd files? What is so dangerous about Kodak Photo CD pictures? Why block .msp? From what I could find out, it is a kind of bitmap picture. |
|||
Sep. 08, 2005, 06:52 PM
Post: #332
|
|||
|
|||
I've used the file extensions list from:
http://www.lancs.ac.uk/iss/a-virus/banned.htm I will release v4.44 with some minor fixes to the filter. (Remove the alert box, reword the message) |
|||
Sep. 09, 2005, 06:08 AM
Post: #333
|
|||
|
|||
Kye-U,
That is an interesting list. Apparently, some extension names have more than one meaning. What about the values of \1 and \3 in the match? Why is \3 needed? What would its value be if the answer to the question about allowing the connection is yes? |
|||
Sep. 09, 2005, 06:58 PM
Post: #334
|
|||
|
|||
\3 is needed because you either accept or deny the connection. (Deny is \1, which kills the connection).
\3 is blank deliberately so that no action will be taken so that the connection can take place. (\3 represents the acception of a connection). I hope this clears things up |
|||
Sep. 09, 2005, 07:49 PM
Post: #335
|
|||
|
|||
Version 4.44 is Released!
Last Updated: September 9th, 2005 - 4:50 PM EST What's New? Quote:[-Version 4.44-] http://www.prxbx.com/forums/viewtopic.php?p=1115#1115 Download here! MD5: F84B03EE3789EB53B518FB0E59B61B9F |
|||
Sep. 10, 2005, 05:24 AM
Post: #336
|
|||
|
|||
Quote:(Deny is \1, which kills the connection).Have I misunderstood the logic then? I thought that "yes" skipped the "$SET" commands after the "|" and went directly to the Replace, whereas "no" went on to what comes after "|". In the case of a yes answer, either \1 or \3 must be the URL, but which one, and what is the value of the other one? |
|||
Sep. 10, 2005, 07:11 AM
Post: #337
|
|||
|
|||
Kye-U, if you keep this up, I'm going to wear out the T, h, a, n, k, and s keys on my keyboard.
You were fast with the 'Mozilla: "Host:" Buffer Overflow Exploit' ... w f ... my eybo d i ' wor i g I gue I'll h ve o y "merci" i e d! |
|||
Sep. 10, 2005, 10:46 PM
Post: #338
|
|||
|
|||
Siamesecat: You're right I have removed the \3 variable and I will release v4.45 when there's a new exploit discovered.
The Header Match now looks like: Code: *&($CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with Suspicious Extension Killed\k)) nIsle: Thanks I haven't been flooded with work for school yet, but as time progresses, it is inevitable it will. |
|||
Sep. 11, 2005, 05:26 AM
Post: #339
|
|||
|
|||
Kye-U,
Don't forget the replacement. It does not need the extra variable either. |
|||
Sep. 14, 2005, 01:27 AM
Post: #340
|
|||
|
|||
Version 4.45 is Released!
Last Updated: September 13th, 2005 - 10:30 PM EST What's New? Quote:[-Version 4.45-] http://www.prxbx.com/forums/viewtopic.php?p=1115#1115 Download here! MD5: B7045A1E30403CD60D42A30E0B64FF7D |
|||
Sep. 14, 2005, 01:38 AM
Post: #341
|
|||
|
|||
Added (IDN Spoof Exploit [non-troppo] {Kye-U}) because some links were not caught by my spoofed address filter, and Sidki's header filter just reveals the URL, but doesn't kill it.
Example: http://my.opera.com/community/forums/top...ment827533 The last post on that page. |
|||
Sep. 14, 2005, 06:01 AM
Post: #342
|
|||
|
|||
Kye-U,
Why do you need to filter these spoofed character links? I have been told that IE will not handle those characters anyway. Mozilla browsers display the domain names in such a manner to make it obvious that something is not what it appears to be. That leaves Opera. I do not know what it does with those addresses. |
|||
Sep. 14, 2005, 09:01 AM
Post: #343
|
|||
|
|||
Newbie question RE:JS Exception
Newbie question:
After installing Kye-U's Browser Security Pack v4.44 for the first time, Proxomitron detects the JS Exception, attributed to http://a.as-us.falkag.net/dat/dlv/aslmain.js, on http://online.tvguide.com/listings. I don't have MSJava installed, so should I care about this notification? Should I poke the webmaster about the issue? Should I open another bottle of this very pleasant Coppola Black Diamond Reserve, or just call it a night? Please accept my preliminary gratitude for any assistance provided herein. |
|||
Sep. 14, 2005, 06:58 PM
Post: #344
|
|||
|
|||
Siamesecat, that filter is just to catch whatever links get past my Spoofed Address filter. It should've been a Header filter, but I wanted it to notify the user that an IDN Spoof has been killed.
IntellectArsenal, thank you for that. I have made the filter more specific (so that it only matches code=$AV(com.ms.activeX.ActiveXComponent)) I will release 4.46 later today. |
|||
Sep. 15, 2005, 12:36 AM
Post: #345
|
|||
|
|||
Version 4.46 is Released!
Last Updated: September 14th, 2005 - 9:40 PM EST What's New? Quote:[-Version 4.46-] http://www.prxbx.com/forums/viewtopic.php?p=1115#1115 Download here! MD5: C16B09A2ED1180E8B3D454AED19F5560 |
|||
« Next Oldest | Next Newest »
|