Double File Extensions
Jeremy Evans
JeremyE at BSA.CA.GOV
Wed Jan 29 21:52:26 GMT 2003
In the process of testing, I found that a double extension can get through
if there is a space (or multiple spaces) between the first (fake) file
extension and the second (actual) file extension. Since a space after the
fake file extension will probably be just as invisible as the actual file
extension, it could be a way to sneak past the filters while getting the
same nefarious effect. I propose that by default the last line in
filename.rules.conf be changed to:
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding Attempt to hide real filename extension
Jeremy Evans
Information Systems Analyst
California State Auditor
916-445-0255 phone
916-322-7801 fax
More information about the MailScanner
mailing list