Filetype/MailScanner bug
Rose, Bobby
brose at med.wayne.edu
Tue Mar 21 02:57:53 GMT 2006
Since the "Use TNEF Contents" function in the latest version, I've come
across a pseudo bug. It's really not a bug since both file and
MailScanner are doing exactly what they're supposed to.
If "Use TNEF Contents" is yes and a plain text message or rtf formatted
message is processed, there is a potential for file to misinterpret a
text message as an incorrect filetype because of string of text being in
the correct byte position that magic is expecting for a particular
filetype.
It was stumbled upon by a one of our researchers who received a "No
QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
After investigation it turned out that the word "free" was in the 4th
byte position which is also a magic signature for quicktime. I've been
able to dupe by sending a plain-text and an rtf formatted message with
"RE: freezer emergency" as the first line in the message body.
Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
without compromising security. \.txt$ is allowed in my filenames rule
file so that currently can't be used to offset.
-=Bobby
More information about the MailScanner
mailing list