Date: Wed, 29 Jul 1998 13:46:14 -0600 From: Brett Glass <brett@lariat.org> To: freebsd-security@FreeBSD.ORG Subject: procmail workaround for MIME filename overflow exploit Message-ID: <199807291946.NAA14449@lariat.lariat.org>
next in thread | raw e-mail | index | archive | help
John Hardin has just updated his procmail "kit" to shorten long file names on MIME attachments. This should prevent potential exploits in mail clients such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora (there's still some debate about whether Eudora is susceptible). John's procmail filter kit can be found at http://www.wolfenet.com/~jhardin/procmail-kit.html You can view his "recipe" for solving the problem at the end of the file http://www.wolfenet.com/~jhardin/html-trap.procmail I have no idea whether his solution is bulletproof (we should all probably review it to be sure!), but it certainly looks good. Admins: it'd be a fantastic idea to install this NOW to protect users, unless anyone knows of security holes in procmail. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807291946.NAA14449>