[Mimedefang] mailsploit prevention in MD

Kevin A. McGrail KMcGrail at PCCC.com
Wed Dec 6 08:06:39 EST 2017


On 12/6/2017 7:52 AM, Jan-Pieter Cornet wrote:
> None of the mailsploit exploits target \n chars. I wouldn't worry 
> about those. My implementation only matches \0 chars. You don't need 
> [] around the char. Or you could write /\000/ as a full octal charcode.
 From my research this morning, the exploit in general is the inclusion 
of control codes by using encoding of base64 and utf8 to bypass rfc 
sanity checks.  The specific examples he used show improper MUA parsing 
of the \0 but it's unknown what some MUAs will do with control codes in 
these fields.

So the [] was written because I expect other control codes to be brought 
up to also block.  And originally I was trying to block \n but of course 
a header has to have just one \n.
> One of the mailsploit tests that I currently don't deal with encode an 
> email address in the username part of the sender. I should block those 
> too... 
Yeah, I haven't looked at the exploits he's published before.  Any 
technical details on that one?

Regards,
KAM



More information about the MIMEDefang mailing list