filename checks = wrong filename report
Matt Kettler
mkettler at evi-inc.com
Wed Jul 9 23:19:56 IST 2008
Scott Silva wrote:
> on 7-9-2008 2:43 AM Sylvain Phaneuf spake the following:
>>>>> On 09/07/2008 at 10:26, shuttlebox <shuttlebox at gmail.com> wrote:
>>> The filename in the report is the sanitized version. I've had the same
>>> problem explaining to users that the original filename was longer than
>>> 150 characters when the reported one is clearly shorter. I just added
>>> a few explaining words to the reports to solve the problem.
>>
>> I would rather have a report that is not using a "sanitized version"
>> if it were possible.
>> I would prefer not saying to the user: trust us, we know this
>> attachment is not good for you, even if the filename appears OK.
>> And in the case I am reporting, the filename is less than 150
>> characters long anyway...
>>
>> Sylvain
>>
> But if the un-sanitized name has some buffer overflow or other attack in
> it, you have a possible problem for the user. That is one reason why
> filenames are sanitized.
And this would be feasible in the body text of a text/plain message section?
(which is ultimately what the report is)
At that point they could just send the exploit in a message body and not bother
with a file in the first place.
ooohoheresmyreallyscarrrylongfilenamethatcouldbufferoverflowyourpcandletmerunwhateverIwantonit.exe
See, nothing happened, did it? Even if it was thousands of characters long, it
would be no different, because it's in the body text.
More information about the MailScanner
mailing list