On Wed, 29 Jul 1998, Brett Glass wrote: > This recipe is a great start! However, there are a few potential improvements. Fire away! > First, it doesn't recognize tabs as whitespace or handle optional > whitespace in a few places where MIME would allow it. I fixed that - thanks for pointing it out. Please grab the html-trap.procmail snippet again and take a look. > Second, it invokes Perl on any message with a MIME attachment, which > could slow the mail server greatly. It would be preferable to detect the > exploit in procmail and only invoke Perl to "cleanse" the message if > that were necessary. Not so. It uses procmail REs to detect long filenames and executable filenames, and only calls perl to sanitiza them if they are found. > Alternatively, it could redirect the mail to the postmaster so he or she > would know that users were under attack. Hmm. That would be simple a matter of adding :0c ! postmaster to the block that calls perl - before (unsanitized) or after (sanitized) perl cleans the message would be a judgement call. Alternatively you could send the entire message as an attachment - that might be better. Could someone give me an action that will take the message being processed and mail it as a MIME attachment to postmaster? I'm not very familiar with formail. > Finally, there are other possible exploits, like a very long content > type, that might also lead to buffer oveflows in mail clients. These > should be checked too. If you can give me an example, I'll be glad to add a trap for it. I'll take a shot at it without a sample, but it might not be too good. > Can people suggest improvements to John's recipes that solve these > problems? Greg Sutter and Chris Lindsey have both come up with patterns > that do more of the matching within procmail, but they still need a > little refinement. > > In any event, this is a great start. It's fantastic that someone who had > most of the needed recipe already written was on the list.... This is > what's great about the Net! ...and that I also lurk on bugtraq and ntbugtraq... :) -- John Hardin KA7OHZ jhardinat_private pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 88 days until Daylight Savings Time ends
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:10:48 PDT