Filetype/MailScanner bug

Glenn Steen glenn.steen at gmail.com
Tue Mar 21 11:24:29 GMT 2006


On 21/03/06, Rose, Bobby <brose at med.wayne.edu> wrote:
> Since the "Use TNEF Contents" function in the latest version, I've come
> across a pseudo bug.  It's really not a bug since both file and
> MailScanner are doing exactly what they're supposed to.
>
> If "Use TNEF Contents" is yes and a plain text message or rtf formatted
> message is processed, there is a potential for file to misinterpret a
> text message as an incorrect filetype because of string of text being in
> the correct byte position that magic is expecting for a particular
> filetype.
>
> It was stumbled upon by a one of our researchers who received a "No
> QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
> After investigation it turned out that the word "free" was in the 4th
> byte position which is also a magic signature for quicktime.  I've been
> able to dupe by sending a plain-text and an rtf formatted message with
> "RE: freezer emergency" as the first line in the message body.
>
> Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
> without compromising security.  \.txt$ is allowed in my filenames rule
> file so that currently can't be used to offset.
>
> -=Bobby

Best "solution" (aside from not trusting file with this at all) is to
make file better.... I'm sure you can improve on the simplistic "free
in the fourth position" check.
Or just reewmove that line from your magic file.

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list