[Esd-l] Updated Sanitizer functionality list

Smart,Dan SmartD at VMCMAIL.com
Fri Jul 2 08:43:47 PDT 2004

Here's my updated functionality list for Sarbanes-Oxley Documentation...

John Hardin's Sanitizer functionality.

1. Sanitize bare CR in message headers (Outlook bug). That's also in
violation of RFC822 so it's a protocol sanitizing issue.
2. Sanitize multiple null addresses (sendmail exploit).
n|apparently)-to|Return-Path): *<>.*<>.*<>.*<>.*<>.*<>.*
3. Detect and truncate Subject: headers longer then 250 characters, to
protect Outlook Express users.
4. Truncate excessively long (>500) standard headers, to address the MS
Outlook header buffer-overflow bug and to proactively protect against other
BO bugs in other mailers; 

1. Length-limit MIME boundary strings, to proactively defend against BO
2. Check for a null MIME boundary string and supply one if necessary; this
is a major DoS attack against Microsoft Exchange
3. Sanitize MIME values that have been explicitly set to null (e.g.
encoding="") - this is a major DoS attack against Microsoft Exchange. 
4. Sanitize double backquotes in MIME headers to prevent remote attacks
against Metamail via the UW Pine MUA

1. Sanitize files with Microsoft Class-ID extensions. 
2. Shorten long file names to less than 120 characters
    a. Collapse runs of spaces in filenames before length-limiting. 
3. Truncate long attachment headers (vs. RFC822 message headers as you
noted), again to proactively defend against BO bugs in mailers.
4. Fix missing closed quote on filename 
5. Fix unquoted filenames
    a. Properly enquote unquoted attachment filenames that have embedded
6. Fix trailing periods and spaces in filename.
7. Catch encoded periods in filenames and fix encoded plain characters in
  Both because there's no reason to encode those characters other than an
attempt to bypass filtering.
8. Catch quotes-in-extension attack. Outlook/Windows ignores them. (!)
9. Remove embedded RFC822 comments
10. Fix attachment headers of the form 'text from file "xxxx"' where Outlook
helpfully looks if the filename can't be determined from the headers that
*should* have the filename.

1. Fix URL Spoofing; a.com%01 at b.com
2. Fix URL Obfuscation; a.com at b.com
There's no good reason to encode plain characters other than an attempt to
bypass filtering.

1. Sanitize <IMG> tags
2. Sanitize webbug images in tables. 
3. Sanitize the <BGSOUND> tag for webbugs 4. Santize "BACKGROUND" subtag for

1. Sanitize the <LINK> tag.
2. Sanitize the <LAYER> tag; this is primarily of interest to people running
webmail programs.
3. Sanitize  <STYLE> tags and clauses because they can be used to hide
scripting code.
4. Detect obscured HTML tags. 
	a. Deal with attempted obscuration of tag options with &# and %
5. Sanitize FORM tags (see bugtraq posting

1. Sanitize active HTML <DEFANGED_SCRIPT> tags
 	Defang OnCommands such as OnLoad and other OnCommands.
 	Defang script or mocha: (["\047\075]|url\()([a-z]+script|mocha):
 	Defang &{: 		(["\047\075])&{

1. Mangle/Quarantine/Strip dangerous attachments based on Extension
2. Check zip file for dangerous attachments
	a. Handles password protected zip files
	b. Handles obfuscated file names in zip
3. Check magic bits to ensure file is what it claims to be.
4. Correctly identifies obfuscated file names.
5. Handle notifications intelligently (no notes to spoofed addresses)


More information about the esd-l mailing list