Filetype/MailScanner bug

[Richard Frovarp]

You are of course assuming that no one will ever try to sneak a unwanted 
file type through by giving it a txt extension. The whole point of 
checking file types is that you don't trust the extensions. A user could 
change all of their files to have extensions of txt and get pass every time.

Rose, Bobby wrote:

>I just had another message get misidentified by the new "Use TNEF
>Contents" option and filetype on the text part of the message that this
>function creates.  No QuickTime movies allowed (msg-24987-72.txt) 
>
>Yeh I could disable the new option, or change the magic file to remove
>quicktime signatures or even change the filetype.conf but then again
>that defeats the intended purpose of the new option and/or the blocking
>of quicktime filetypes.  But it makes more sense to not be passing the
>msg.txt file created by the new function thru filetype.  Plus,
>filename.conf entries don't seem to override filetype.conf entries as
>.txt is listed in the filename.conf by default.
>
>Bobby Rose
>
>
>
>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
>Bobby
>Sent: Monday, March 20, 2006 9:58 PM
>To: MailScanner discussion
>Subject: Filetype/MailScanner bug
>
>Since the "Use TNEF Contents" function in the latest version, I've come
>across a pseudo bug.  It's really not a bug since both file and
>MailScanner are doing exactly what they're supposed to.
>
>If "Use TNEF Contents" is yes and a plain text message or rtf formatted
>message is processed, there is a potential for file to misinterpret a
>text message as an incorrect filetype because of string of text being in
>the correct byte position that magic is expecting for a particular
>filetype.
>
>It was stumbled upon by a one of our researchers who received a "No
>QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
>After investigation it turned out that the word "free" was in the 4th
>byte position which is also a magic signature for quicktime.  I've been
>able to dupe by sending a plain-text and an rtf formatted message with
>"RE: freezer emergency" as the first line in the message body.
>
>Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
>without compromising security.  \.txt$ is allowed in my filenames rule
>file so that currently can't be used to offset.
>
>-=Bobby
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>  
>