possible Bug in 4.28.6 (long filenames)

Julian Field mailscanner at ecs.soton.ac.uk
Wed Apr 7 14:44:41 IST 2004 

The reason you are seeing a short filename is completely intentional.
The real filename that was used in the message is indeed very long and as
such is considered "evil". Many exploits of a program can be avoided if you
never directly use any user input in any output generated by your software.
You treat all incoming data as being "tainted" and potentially dangerous.

As part of this, I treat all filenames as tainted. You may remember all the
historical attacks you could do against Windows by using the Samba client
program and asking for a file called
         \\server\public_share\..\..\private\data\credit_card_details
This attack worked because Windows didn't thoroughly clean up the filename
before they used it in the filesystem.

To ensure that filenames are safe, there are a whole bunch of rules and
transformations applied to all the attachments filenames, which restrict it
to a short name containing a very small subset of allowed characters. The
way I have done this means that most of the time you don't notice this
happening as the transformations are geared to leaving you with a readable
filename that looks as close to the original as possible.

No report will contain any tainted filenames, only ever using the safe
versions. Likewise for the file stored in the quarantine, etc.

Just think what would happen if I didn't do this, and an attachment arrives
called
         ../../../../../../etc/passwd
The creation of the attachment in the working directory or the quarantine
could overwrite your passwd file!
That would be "A Bad Thing (tm)" :-(

At 12:26 07/04/2004, you wrote:
>Hi all,
>
>I've had a mail blocked with the following remark:
>
>Achtung: Very long filenames are good signs of attacks against Microsoft
>e-mail
>packages (VK Preisliste .doc)
>
>now "VK Preisliste .doc" ist not really that long and should not be matched by
>this expression:
>
>echo "VK Preisliste .doc" | egrep ".{150,}"
>
>gives me no match. The file ends up like this in the quarantine dir:
>
>/quarantine/20040407/A27541C110/VK\ Preisliste\ .doc
>
>(Backslashes added for better reading) so there are really no hidden
>Whitespaces
>etc.
>
>any ideas on this?
>
>regards,
>Stephan
>
>PS: it's still on 4.28.6 because I haven't had the time to upgrade it to
>4.29.7

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list