[Esd-l] Double attachment STILL gets through
markjt at fredo.co.uk
Thu Nov 15 22:08:01 PST 2001
> I have not had any response to my previous query - is nobody else affected?
Well, yes and no. After testing today I find that any file attached ('enclosed') as Text/plain
with Pegasus mail will not be mangled or poisoned by the sanitizer as far as I can see.
This means any *.com *.bat etc. passes through untouched even when it's in
MANGLE_EXTENSIONS or poisoned. This happens to an email with a single
attachment as well, so your problem may have a different cause.
> I have *.com files poisoned, but if someone sends us a .com file and a .doc file as >
attachments, they get through the system. If it's not just our setup, be aware that your >
Lusers can still click on malicious files even if they are poisoned, if there are two file >
I have just tested this on a system with v 1.29 of the sanitizer. It may be that the scenario
email has plain-text body plus two attachments.
1st attachment is test.bat (a plain text file sent as Text/plain)
2nd attachment is test.doc (a real MS Word doc)
The test.doc gets mangled OK but the test.com attachment still makes it through even
is in the poisened file list and com is in MANGLE_EXTENSIONS.
The problem is that the test.com file (and any similar file like test.bat) will be sent by
default with some clients (Pegasus for a start) with a mime type of Text/plain. The
sanitizer then ignores the attachment and allows it to pass unchecked and without even
mangling the file name.
Here are the attachment lines from the final email as received:
Content-type: text/plain; charset=US-ASCII
Content-description: Text from file 'test.bat'
If a binary file is attached and named test.bat it does get poisoned, but that's not very
helpful of course :)
Now, because the mime type is Text/plain even Outlook Express displays the contents of
test.bat and does not give the user the opportunity to double-click or otherwise directly
execute the file (at least in OE 6 on Win 98 SE with default OE settings).
Any comments please John?
FREDO Internet Services
markjt at fredo.co.uk
More information about the esd-l