[Mimedefang] hi, and question about mimedefang-filter (filter_bad_filename)

Tue Jul 29 17:18:01 EDT 2003

Mark,

Here is my best answer though I believe your questions might be open to
quite a bit of debate:

First, I believe the reason no one has mentioned it has to do with the low
market penetration of Netscape.

Second, regarding your fix, the question really boils down to:  if you allow
a file attachment with .com in it, will a user accidentally be able to run
the file or will a standard desktop run the extension allowing this opening
to be used maliciously?

The answer in my opinion is yes because the forward slash (/) in Microsoft
denotes a parameter and does not require a space.  So something like
dir.com/? will work.  So, I believe it's theoretical that I could attach an
executable file name www.something.com and get a user to click on it and it
would execute.

Therefore, I would say that with an understanding that Microsoft will not
change there inherently insecure ways, Netscape should change the way they
do attachments for emails.  Furthermore, I believe receiving this file via
Microsoft Outlook, arguable a very popular mail reader, would require a
registry change.

Regards,

KAM

> www.petfinder.com/pet.cgi?action=2&pet=1920982&adTarget=468
> petsgeneral&SessionID=3f26987d1a90052c-app2&display=&preview=1&row=0
>
> The code finds the ".com", and so tags it as being a bad extension.
> In order to avoid this problem, I added the / character in the excluded
> character list:
>
>     $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,/]|$)';
>
> But I'm curious A) why no one else has reported this problem, and B) will
my
> fix allow any bad attachments to get through?  Thanks. -   Mark

----- Original Message ----- 
From: "Mark London" <mrl at PSFC.MIT.EDU>
To: <MIMEDEFANG at lists.roaringpenguin.com>
Sent: Tuesday, July 29, 2003 2:05 PM
Subject: [Mimedefang] hi, and question about mimedefang-filter
(filter_bad_filename)

> Hi - I installed mimedefang according to the online web pages, and
installed
> mimedefang-filter with the filter_bad_filename subroutine that looks like:
>
>     # Bad extensions
>     $bad_exts =
> '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|f\
>
xp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|
pif\
>
|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|w
sh|\
> \{)';
>     # Do not allow:
>     # - curlies
>     # - bad extensions (possibly with trailing dots) at end or
>     #   followed by non-alphanum
>     $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
>
> This seemed to work fine, until I sent a web page from Netscape 7, and the
> receiver of the mail was told it had a bad attachment, the problem being
that
> the attachment name was:
>
> www.petfinder.com/pet.cgi?action=2&pet=1920982&adTarget=468
> petsgeneral&SessionID=3f26987d1a90052c-app2&display=&preview=1&row=0
>
> The code finds the ".com", and so tags it as being a bad extension.
> In order to avoid this problem, I added the / character in the excluded
> character list:
>
>     $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,/]|$)';
>
> But I'm curious A) why no one else has reported this problem, and B) will
my
> fix allow any bad attachments to get through?  Thanks. -   Mark
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>