|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
bypass file extension restrictions under mime_checks
admin
mac-s.be
Date: Fri Jan 20 2006 - 03:17:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
I have found on several websites the regexp rulesets to use under mime_checks to reject sensitive
attachments..
############# mime_checks #############
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dbx|dll
|exe|hlp|hta|in[fs]|isp|lnk|js|jse|lnk|ocx|md[etw]|ms[cipt]|nws|ocx|ops|pcd|pi|pif|prf|reg|scf
|scr|sct|sh[bms]|swf|uue|vb|vb[esx]|vxd|wab|ws[cfh]))"?\s*$/ REJECT Files attached to emails
that contain or end in "$3" are prohibited on this server as they may contain viruses. The file
named "$2" was rejected.
############# EOF #####################
I found out it's actually quite simple to bypass (at least on my system)..
fevrier.exe wouldn't get through the system because it would match the rule..
février.exe would get through..
To me, the reason is the filename will be encoded in ISO-8859-1 char (or else on other systems ?)
when containing an accent and won't match the regexp rule.
fevrier.exe :
-------------
Content-Type: application/x-msdownload;
name="fevrier.exe"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="fevrier.exe"
février.exe :
-------------
Content-Type: application/x-msdownload;
name="=?ISO-8859-1?Q?f=E9vrier=2Eppt?="
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="=?ISO-8859-1?Q?f=E9vrier=2Eexe?="
I tried finding a working ruleset last night but no one worked, can anyone help out ?
Thanks
Seb
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]