[exim] caution to those blocking files by extension

Top Page
Delete this message
Reply to this message
Author: Brent Clark
Date:  
To: exim-users
Subject: [exim] caution to those blocking files by extension

Hey all

I just found a hole / bug in my acl for file extension handling.

This is my current ACL

# File extension filtering.
deny   set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
message  = Disallowed file extension
log_message     = REJECTED ATTACHMENT ($acl_m1) (rcpt to: $recipients)


condition       = ${if match{$acl_m1}{\N^(avi|asf|ade|adp|asx|asp|arj|adep|asd|ace|arc|aspx|atom|adp|au|\
                                         bat|bin|btm|bas|bhx|bzip2|bb|bml|\
                                         cpl|com|cmd|class|cab|chm|crt|cgi|cil|cpe|cvp|c|cob|cbl|cpp|cfm|css|\
                                         dll|deb|\
                                         exe|ear|elf|\
                                         flac|fli|\
                                         gz|gzip|\
                                         hta|hlp|hiv|htr|shtml|\
                                         inf|ins|isp|ici|\
                                         js|jse|java|jtd|jar|jsp|\
                                         keyreg|\
                                         lnk|lbr|lha|lua|\
                                         mpeg|mpe|mp3|mrc|mp2|mpg|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|mid|m3u|mov|mhtml|\
                                         nte|nws|nsf|ntf|nut|nsv|\
                                         ole|ocx|oft|ovl|ops|obj|o|ogg|ots|\
                                         prf|plx|pcd|prf|pif|pl|php|pst|pm|pub|pot|py|pyo|pyc|ps1|php3|php4|\
                                         qtl|\
                                         reg|rb|raw|ra|rm|rss|\
                                         shs|scr|sh|sys|shb|scf|sct|shtml|swf|swt|sql|scpt|ssi|sav|\
                                         tar|tcl|\
                                         rar|\
                                         url|uif|\
                                         vb|vbs|vbe|vbx|vxd|vss|vst|vob|\
                                         wav|wmf|wsc|wma|wsh|ws|wsf|wmd|wmv|wmz|wps|wdb|wm|wvx|\
                                         xpi|xvid|xhtml|xht|\
                                         zoo|\
                                         zip|\
                                         ppt|pps\
                                         )$\N}{1}{0}}


Following this I have this

warn set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
!hosts      = 192.168.111.0/24 :
log_message     = FOUND THIS ATTACHMENT ($acl_m1) (rcpt to: $recipients)
condition = ${if def:acl_m1 }


and funny enough, I saw this

2006-11-03 14:14:57 1Gfxwa-0002eB-6i H=bzq-88-153-38-130.red.bezeqint.net (levin-35s2tp15l) [88.153.38.130] Warning: FOUND THIS ATTACHMENT (         exe) (rcpt to: myuser@mydomain)


as opposed to a line like this

2006-11-03 15:13:26 1Gfyjb-0002tc-MN H=orion.smartsurv.com [196.23.50.131] Warning: FOUND THIS ATTACHMENT (jpg) (rcpt to: myotheruser@mydomain)

I did this as a test to see what type of file extension am I passing / allowing. So what this means is that the .exe got past the first ACL.

So this is just a word of caution to those out there using / doing the same method as I.

HTH

Kind Regards
Brent Clark