Author: Florian Weimer Date: To: Andreas Gietl CC: Nico Erfurth, Marc Haber, exim-users, tom Subject: Re: [Exim] exim as relay for latest sendmail bug?
Andreas Gietl <Listen@???> writes:
> The Bug affects the parsing of the From, To, CC and Bcc-Header which
> sendmail does semantic tests on.
According to the Bat Book, the header list is a bit more elaborate:
Resent-Sender
Resent-From
Resent-Reply-To
Sender
From
Apparently-From
Reply-To
Return-Receipt-To
Errors-To
To
Resent-To
Cc
Resent-Cc
Bcc
Resent-Bcc
Apparently-To
Ways to change these headers are documented, so this set varies from
one Sendmail to another. Go figure.
> The patch that fixes the sendmail-bug now detects these crafted
> headers and logs an error to the log. Perhaps it is possible to
> implement this routine into exiscan and then detect it as malicious
> content.
The code is very hard to understand. And unless the researches
explain what's actually happening, you can't be sure that you caught
all the corner cases. For a first line of defense, dissect the
questionable header line into address components and detect addresses
that are longer than 200 characters (or so). I doubt you can do this
with regular expressions, even with Perl one's which are a bit more
powerful.
