|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Security : WORM_HOLAR.H mass mailing gets past header_checks
Victor.Duchovni
morganstanley.com
Date: Mon Jun 02 2003 - 09:52:59 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2 Jun 2003, Alex Kramarov wrote:
> You right, of course. I snagged that regexp from the list, and it wasn't
> perfect. Now it's better, thank you ;) Well, at least this is not a postfix
> security problem, but only my config's.
>
The regexp is still not optimal. It is also possible to have TAB, CR and
LF characters between the "name" and "=":
Content-Disposition: attachment; name<TAB><CR><LF>
<TAB>=<CR><LF>
<SPACE><TAB>filename.exe
For Postfix 2.0.x and PCRE use:
name[\t\n\r ]*=[\t\n\r ]*
Furthermore the filename "foo.e?x/e" is the same as "foo.exe" as far as
Outlook is concerned, it ignores characters that are not legal in Win32
filenames:
'\\', '/', ':', '*', '?', '<', '>', '|', '"'
And then there are ambiguous MIME constructs, ... In the final analysis do
not expect 100% protection from header_checks alone. Content filters can
do a more thorough job, getting much closer to 100%, but perfection evades
real-world security systems...
--
Viktor.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]