[Esd-l] Double attachment STILL gets through

Mark Tiramani markjt at fredo.co.uk
Thu Nov 15 22:08:01 PST 2001 

> I have not had any response to my previous query - is nobody else affected?

Well, yes and no. After testing today I find that any file attached ('enclosed') as Text/plain 
with Pegasus mail will not be mangled or poisoned by the sanitizer as far as I can see. 
This means any *.com *.bat etc. passes through untouched even when it's in 
MANGLE_EXTENSIONS or poisoned. This happens to an email with a single 
attachment as well, so your problem may have a different cause.

> I have *.com files poisoned, but if someone sends us a .com file and a .doc file as > 
attachments, they get through the system. If it's not just our setup, be aware that your > 
Lusers can still click on malicious files even if they are poisoned, if there are two file > 
attachments.

I have just tested this on a system with v 1.29 of the sanitizer. It may be that the scenario 
needs clarifying:

email has plain-text body plus two attachments.
1st attachment is test.bat (a plain text file sent as Text/plain)
2nd attachment is test.doc (a real MS Word doc)

The test.doc gets mangled OK but the test.com attachment still makes it through even 
though:
*.bat
is in the poisened file list and com is in MANGLE_EXTENSIONS.

The problem is that the test.com file (and any similar file like test.bat) will be sent by 
default with some clients (Pegasus for a start) with a mime type of Text/plain. The 
sanitizer then ignores the attachment and allows it to pass unchecked and without even 
mangling the file name.

Here are the attachment lines from the final email as received:

Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Text from file 'test.bat'

If a binary file is attached and named test.bat it does get poisoned, but that's not very 
helpful of course :)

Now, because the mime type is Text/plain even Outlook Express displays the contents of 
test.bat and does not give the user the opportunity to double-click or otherwise directly 
execute the file (at least in OE 6 on Win 98 SE with default OE settings).

Any comments please John?

Mark

Mark Tiramani
FREDO Internet Services
markjt at fredo.co.uk

More information about the esd-l mailing list