[Mimedefang] filter_bad_filename missing dangerous filenames
Mike Batchelor
mikebat at tmcs.net
Fri May 23 17:50:01 EDT 2003
I am seeing messages with a dangerous attachment (.pif, etc) getting
through MIMEDefang by abusing malformed MIME headers. At least,
MIMEDefang's fix does not defang the mailformed attachment as seen by the
Mulberry IMAP mail client (Cyrusoft.com).
This is what one looks like after MIMEDefang modifies it:
---snip snip---
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="CSmtpMsgPart123X456_000_0106CAA0"
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
This is a multi-part message in MIME format...
--CSmtpMsgPart123X456_000_0106CAA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
All information is in the attached file.
--CSmtpMsgPart123X456_000_0106CAA0
Content-Type: application/octet-stream;
name="ref-394755.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=""ref-394755.pif
---snip snip---
Note the filename outside the "" quotes.
This shows up as an executable attachment in Mulberry 2.2.0 for Windows.
Unfiltered messages like this show no attachment at all in Mulberry, nor do
I see it when I view the raw message. Fortunately, Mulberry never
autoexecutes anything. So it seems that Mulberry's MIME handling makes it
vulnerable, but only to messages fixed by MIMEDefang. Unfixed, malformed
messages seem to be harmless. :)
---
"The avalanche has already begun. It is too late for the pebbles to vote."
-- Kosh
More information about the MIMEDefang
mailing list