Date: Wed, 29 Jul 1998 14:55:56 -0700 From: Gregory Sutter <gsutter@pobox.com> To: Brett Glass <brett@lariat.org>, freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit Message-ID: <19980729145556.C16073@notabene.zer0.org> In-Reply-To: <199807291946.NAA14449@lariat.lariat.org>; from Brett Glass on Wed, Jul 29, 1998 at 01:46:14PM -0600 References: <199807291946.NAA14449@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 29, 1998 at 01:46:14PM -0600, Brett Glass wrote: > John Hardin has just updated his procmail "kit" to shorten long file names > on MIME attachments. This should prevent potential exploits in mail clients > such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora > (there's still some debate about whether Eudora is susceptible). > > John's procmail filter kit can be found at > http://www.wolfenet.com/~jhardin/procmail-kit.html > > You can view his "recipe" for solving the problem at the end of the file > http://www.wolfenet.com/~jhardin/html-trap.procmail Brett, John's recipe has the same problem as Andrew McNaughton's proposed solution -- it invokes perl. That's a lot of overhead to process a mail message, when procmail can do it just fine. Out of several recipes suggested on the procmail mailing list, David Tamkin's is the best: :0fhw # sixty-three dots in second condition * ^Content-Disposition:(.*\>)?filename="\/[^"]+ * MATCH ?? ^^\/............................................................... | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" That recipe will truncate any filenames longer than 63 characters to 63 chars. If you wish to specially denote offending messages, you can change the action line to: | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \ -i "X-Security-Modification: Truncated long filename" Regards, Greg -- Gregory S. Sutter Bureaucrats cut red tape -- lengthwise. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980729145556.C16073>