Bug in long filename rule?

Julian Field mailscanner at ecs.soton.ac.uk
Wed Feb 5 10:45:43 GMT 2003


The filename included in the report is the sanitised filename, not the
original one that was contained in the message.

First rule for avoiding odd security vulnerabilities you haven't thought
of: Never put user input into anything that is ever presented as output.
Hundreds of packages have been caught out by this.

All you need to do here would be to have a nasty MIME attachment completely
contained within the filename of another (harmless) MIME attachment. Then
this rule would report the filename it didn't like, which in the outgoing
message would look like a (nasty) MIME attachment, so the email application
would present it as an attachment, thereby avoiding all the virus scanning.

The filename you see has a short maximum length, and can only contain a
very small set of harmless characters and certainly no punctuation or
control characters.

At 20:14 04/02/2003, you wrote:
>Is this a bug in the new rule?
>
>Report: Very long filenames are good signs of attacks against Microsoft
>e-mail packages (Sn-Mesoporphyr.htm)
>
>-=B

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list