Very long filenames?
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Feb 22 16:48:02 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Sapiro wrote:
> Bjørn T Johansen wrote:
>
>
>> But how long is max length? And is there a way to find the original filename?
>>
>
> <snip>
>
>>>> The only option I can find in filenames.rules.conf is this..:
>>>>
>>>> deny .{150,} Very long filename, possible OE attack
>>>>
>
>
> That regexp matches anything 150 or more characters long. so the max
> length is 149.
>
> If the message was quarantined, I expect the original name is in the
> quarantined message. If not, there is a MailScanner entry in maillog,
> but I don't know if it has the original or the sanitized name.
>
The original filename is put in the log. Only sanitised names are ever
passed back to the user. As far as I am aware, there are no attacks that
can be launched by putting nasty strings in the call to syslogd. It is
just truncated to the maximum length of the syslog entry. But there are
many attacked that can be launched by putting arbitrary strings into
email messages sent to the user. Just imagine a long filename that
contained newline sequences and MIME boundaries, you could put an entire
attachment into a maliciously crafted filename.
Jules
- --
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: (pgp-secured)
Charset: ISO-8859-1
wj8DBQFHvvzCEfZZRxQVtlQRAg+vAKDVT7ZdG8k83RVIT2TUtHNHh/2WggCZAU6p
0OdHUi0qCrB6uePvHACAlh4=
=KXan
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list