[Mimedefang] exe gets past Mimedefang
Joseph Brennan
brennan at columbia.edu
Tue Sep 30 09:18:01 EDT 2003
Some virusmail product got an executable past Mimedefang this
morning.
Snip below, between ===== lines.
=========================
This is a multi-part message in MIME format...
--AE3041y0BtNV65U0h3q1C52iCF815aOpx1d4W
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<HTML><HEAD></HEAD><BODY>
<no-iframe src=3Dcid:Ag04623a3d5287QX height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--AE3041y0BtNV65U0h3q1C52iCF815aOpx1d4W
Content-Type: audio/x-midi;
name=;key=placement_2;sz=140x60;ptile=2;ord=1042208295266[1].exe
Content-Transfer-Encoding: base64
Content-ID: <Ag04623a3d5287QX>
Content-Disposition: inline
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA
=========================
I put this in filter to get info and re-sent it to myself...
# testing
$bla = $filename if ($filename);
md_graphdefang_log('test',"filename: $fname bla: $bla type: $type ext:
$ext");
...and got these values in syslog:
filename: UNKNOWN_PARAMETER_VALUE bla: type: audio/x-midi ext: ,,
So evidently it can't parse the filename. Is it the "name=;"
that is messing with us?
Interestingly my mail reader (Mulberry) also displayed the
name of the attachment as UNKNOWN_PARAMETER_VALUE rather than
the "Unnamed part #n" that it uses for parts that have no
name at all, like text parts.
Possibly we should reject parts having "name=" with no name
following. I don't see how to capture the UNKNOWN_PARAMETER_VALUE
since as shown it is not actually the value of $fname.
If I figure it out I'll post a followup.
This problem looks familiar. I think there is something in the
archive but I couldn't find it with UNKNOWN_PARAMETER_VALUE.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group brennan at columbia.edu
More information about the MIMEDefang
mailing list