[Esa-l] attachments being renamed.
Bjarni R. Einarsson
bre at klaki.net
Tue Feb 13 11:42:04 PST 2001
On 2001-02-13, 12:26:32 (-0700), Lee Howard wrote:
>
> Do I change the Content-Type line to read?:
>
> Content-Type: image/tiff; name="FAX from $info{sender} at $info{received}"
Sounds good. I would suggest appending ".tif" to it as well, although
that appears to be sort of optional...
> >Interesting that you're seeing "default.tif". The sanitizer just
> >inserts "default" with no extension. Maybe it's not a good defense
> >against social engineering if the mail client insists on adding an
> >extension...
>
> Hrmmm... I'm using that darn Outlook Express in this particular case. Does
> that mean that if the Content-Type line had been something like
> application/vbs that it would have "gotten around" the sanitizer?
Yup, assuming your Outlook recognizes application/vbs.
One of these days I am (or someone else is) going to have to sit down
and examine where and how exactly Microsoft mail programs choose their
file names. In the name of "user friendliness" they appear to go to
great lengths to "guess" what the file name should be... which is a
major security headache for tools like the sanitizer. The list keeps
getting longer - HTML.dropper added the Subject line to the list, now
we also have to keep track of Content-Description.
And what does the mailer do if MORE THAN ONE filename header is
present, each presenting different information? Yuck.
I'm somewhat tempted to just ignore file-names altogether and switch
to a magic-based policy method in my sanitizer. Which is ever so much
harder...
--
Bjarni R. Einarsson PGP: 02764305, B7A3AB89
bre at klaki.net -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
More information about the esd-l
mailing list