On Sun, 28 Mar 2004, David wrote:
> I was trying the tests a www.virustest.org and noticed that
> test #19 "Blank Folding Vulnerability" , which sends an email
> with a header line that contains only one white space or tab
> makes exim think that headers terminate at that line. Altough
> the resulting message is broken as exim breaks the headers at
> that point, making the virus 'unusable', this makes not possible
> to detect that circumstance using match on $message_headers and
> prevents the viruscannner to detect the virus, so the broken
> message reaches the end user. Any way to detect this vulnerability ?
Which version of Exim?
I have just run a test in which I included a line such as you describe
in the headers, and Exim handled it correctly. That is, it did NOT
terminate the header at that point. What it did not was to remove the
line containing just a space altogether. This is a deliberate feature to
avoid confusing humans and/or other programs.
What I supplied to Exim was:
First: a first header
Second:
Third: third header, next line contains just a space
Fourth: is this still a header?
The line labelled "Second:" had just one space following; the line after
"Third:" contained just one space. When the message was delivered, it
contained the following:
First: a first header
Second:
Third: third header, next line contains just a space
Fourth: is this still a header?
Message-Id: <E1B7tK8-0001Aq-EQ@???>
From: Philip Hazel <ph10@???>
Date: Mon, 29 Mar 2004 10:45:43 +0100
This is the body
Note that the blank line has gone, but the header was not terminated,
because the extra lines added by Exim come afterwards (and the debug
output also confirms what is in the header).
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book