RE: [Exim] virurstest.org test #19

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Rick Cooper
Date:  
À: exim-users
Sujet: RE: [Exim] virurstest.org test #19

> -----Original Message-----
> From: exim-users-admin@??? [mailto:exim-users-admin@exim.org]On
> Behalf Of Philip Hazel
> Sent: Monday, March 29, 2004 8:31 AM
> To: David
> Cc: exim-users@???
> Subject: Re: [Exim] virurstest.org test #19
>
>
> On Mon, 29 Mar 2004, David wrote:
>
> > when I check test #19 at www.virustest.org I get the following:
> >
> > From - Sat Mar 27 11:27:57 2004
> > X-UIDL: UID39583-1069500867
> > X-Mozilla-Status: 0001
> > X-Mozilla-Status2: 00000000
> > Return-path: <tester@???>
> > Envelope-to: david@???
> > Delivery-date: Sat, 27 Mar 2004 11:31:52 +0100

<snip>

> Therefore, Exim is quite correct in terminating the headers there. I
> cannot see that this is an Exim problem.
>


And the fact it does that, places the attachment in the body and Outlook
doesn't see it as an attachment (which is what the whole vulnerability
revolves around) so exim is actually protecting the outlook client. (I
tested this with outlook and it is in the body). Had exim not broken the
headers at that point outlook would have terminated the headers there and
the following mime would have been seen as a valid attachment in outlook.
Thus allowing the virus author to "fold" the attachment between valid
headers.

Rick