[Esa-l] Double Extensions fails
Bjarni R. Einarsson
bre at klaki.net
Tue Feb 13 07:45:58 PST 2001
On 2001-02-13, 07:12:01 (-0800), John D. Hardin wrote:
> On Mon, 12 Feb 2001, Phil Pennock wrote:
> > Uhm, the problem is when files are called things like:
> > test.jpg<lots-of-white-space>.vbs
> > isn't it?
> That would be very bad. The current double-extension rule would not
> catch it. I didn't think of space padding.
> I have updated the master ruleset. The website will take a bit to
> update, so I've attached the new globs to this message. Please add
> them to your poisoned executables list.
The new rules are better than before, but still don't cut it.
test.jpg<lots-of-white-space>abacab.vbs is just as deceptive and
dangerous, but will still slip through if you aren't explicitly
blocking long file names or .vbs files. The variations on this
long-deceptive-filename theme are endless.
So basically, I think explicitly worrying about double extensions is
a little silly. If you have a sane policy for handling really long
file names and another sane policy for handling unknown and/or
dangerous extensions, then worrying about double extensions is
That's why I don't bother in my sanitizer (although user are free to
implement their own policies which detect double file names via.
regexps in their config files).
Bjarni R. Einarsson PGP: 02764305, B7A3AB89
bre at klaki.net -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
More information about the esd-l