[Mimedefang] Decompression bombs
David F. Skoll
dfs at roaringpenguin.com
Wed Feb 4 12:10:22 EST 2004
On Wed, 4 Feb 2004, Jon R. Kibler wrote:
> According to this article, AMaViS is susceptible to this tactic. The
> article says nothing about MIMEDefang... is it also susceptible?
If your virus scanner is susceptible, then yes. If your virus scanner
isn't, then no.
MIMEDefang doesn't try to uncompress anything. It leaves it up to the
virus scanners to be that smart (or stupid, depending on your viewpoint...)
Clam has options for the maximum size of an archive to open, and a hard-coded
"maximum compression ratio" setting, but it really should have an option that
says "bail if you're uncompressing the file and the *uncompressed* data grows
to X megabytes..."
Regards,
David.
More information about the MIMEDefang
mailing list