CLSID in filenames
Peter Bonivart
bonivart at opencsw.org
Thu Mar 8 12:48:48 GMT 2012
I have some customers receiving files like this:
VENDET_83410_20120124_{396E4021-9322-4F70-9A2C-45ECD782B8A6}.pdf.
They trigger the default CLSID rule in filename.rules.conf:
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
type Files containing CLSID's are trying to hide their real type
I googled it and found this:
http://www.juniper.net/security/auto/vulnerabilities/vuln2612.html.
According to that it's only dangerous if the CLSID is at the end of
the filename, in the example above a normal extension comes after the
CLSID. Would it be recommended to change the rule to something like
this?
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide its real
type Files containing CLSID's are trying to hide their real type
/peter
More information about the MailScanner
mailing list