From: Nathan Wallwork [mailto:owen () pungent org]
Sent: Tuesday, September 09, 2003 1:18 PM
On Mon, 8 Sep 2003, Drew Copley wrote:
The only sure way to detect this, I already wrote about [to
That is by setting a firewall rule which blocks the
[Content-Type: application/hta]. Everything else in the
exploit can change.
Just so we are clear, the firewall wouldn't tbe he right
place to catch
this because that string could be split by packet
fragmentation, so you'd
need to look for it at an application level, after the data stream
has been reassembled.