[Mimedefang] hi, and question about mimedefang-filter (filter_bad_filename)

Kevin A. McGrail kmcgrail at pccc.com
Tue Jul 29 16:46:00 EDT 2003


Mark,

Here is my best answer though I believe your questions might be open to
quite a bit of debate:

First, I believe the reason no one has mentioned it has to do with the low
market penetration of Netscape.

Second, regarding your fix, the question really boils down to:  if you allow
a file attachment with .com in it, will a user accidentally be able to run
the file or will a standard desktop run the extension allowing this opening
to be used maliciously?

The answer in my opinion is yes because the forward slash (/) in Microsoft
denotes a parameter and does not require a space.  So something like
dir.com/? will work.  So, I believe it's theoretical that I could attach an
executable file name www.something.com and get a user to click on it and it
would execute.

Therefore, I would say that with an understanding that Microsoft will not
change there inherently insecure ways, Netscape should change the way they
do attachments for emails.  Furthermore, I believe receiving this file via
Microsoft Outlook, arguable a very popular mail reader, would require a
registry change.

Regards,

KAM



> www.petfinder.com/pet.cgi?action=2&pet=1920982&adTarget=468
> petsgeneral&SessionID=3f26987d1a90052c-app2&display=&preview=1&row=0
>
> The code finds the ".com", and so tags it as being a bad extension.
> In order to avoid this problem, I added the / character in the excluded
> character list:
>
>     $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,/]|$)';
>
> But I'm curious A) why no one else has reported this problem, and B) will
my
> fix allow any bad attachments to get through?  Thanks. -   Mark




More information about the MIMEDefang mailing list