Re: [Exim] File Extension Filtering Alert

Pàgina inicial
Delete this message
Reply to this message
Autor: Edgar Lovecraft
Data:  
A: exim-users
Assumpte: Re: [Exim] File Extension Filtering Alert
> Sent By: James P. Roberts
>
> Dear Exim Users:
>
> I just stumbled upon a very interesting paper:
>
> http://www.geocities.com/floydian_99/invisible.html
>
> It describes the fact (which I did not previously know), that Windoze
> will accept a CLSID as a valid file extension, and that it will ALWAYS
> hide such extensions, whether the associated file type is normally
> "visible" or not.
> Bottom line is, if you are filtering on file extensions (e.g. to block
> executable attachments), beware of this potentially nasty trick.
> I am wondering if the MIME-aware apps (such as exiscan, yes?), do their
> file-type detection based on the MIME header, or on actual file contents
> (embedded file header in the base64 encoded data)?
>

--

If exiscan is installed this should kill these .CLSID extensions

deny message = "Hideing of file extensions is not allowed!"
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}
\})|((.*?)\\s{10,}(.*?)))"+\$

Please note that this was adapted from the Mailscanner package, and that
the regex is all on one line, well, it is in my exim.config file anyway :)

--EAL--