Hey all
I just found a hole / bug in my acl for file extension handling.
This is my current ACL
# File extension filtering.
deny set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
message = Disallowed file extension
log_message = REJECTED ATTACHMENT ($acl_m1) (rcpt to: $recipients)
condition = ${if match{$acl_m1}{\N^(avi|asf|ade|adp|asx|asp|arj|adep|asd|ace|arc|aspx|atom|adp|au|\
bat|bin|btm|bas|bhx|bzip2|bb|bml|\
cpl|com|cmd|class|cab|chm|crt|cgi|cil|cpe|cvp|c|cob|cbl|cpp|cfm|css|\
dll|deb|\
exe|ear|elf|\
flac|fli|\
gz|gzip|\
hta|hlp|hiv|htr|shtml|\
inf|ins|isp|ici|\
js|jse|java|jtd|jar|jsp|\
keyreg|\
lnk|lbr|lha|lua|\
mpeg|mpe|mp3|mrc|mp2|mpg|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|mid|m3u|mov|mhtml|\
nte|nws|nsf|ntf|nut|nsv|\
ole|ocx|oft|ovl|ops|obj|o|ogg|ots|\
prf|plx|pcd|prf|pif|pl|php|pst|pm|pub|pot|py|pyo|pyc|ps1|php3|php4|\
qtl|\
reg|rb|raw|ra|rm|rss|\
shs|scr|sh|sys|shb|scf|sct|shtml|swf|swt|sql|scpt|ssi|sav|\
tar|tcl|\
rar|\
url|uif|\
vb|vbs|vbe|vbx|vxd|vss|vst|vob|\
wav|wmf|wsc|wma|wsh|ws|wsf|wmd|wmv|wmz|wps|wdb|wm|wvx|\
xpi|xvid|xhtml|xht|\
zoo|\
zip|\
ppt|pps\
)$\N}{1}{0}}
Following this I have this
warn set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
!hosts = 192.168.111.0/24 :
log_message = FOUND THIS ATTACHMENT ($acl_m1) (rcpt to: $recipients)
condition = ${if def:acl_m1 }
and funny enough, I saw this
2006-11-03 14:14:57 1Gfxwa-0002eB-6i H=bzq-88-153-38-130.red.bezeqint.net (levin-35s2tp15l) [88.153.38.130] Warning: FOUND THIS ATTACHMENT ( exe) (rcpt to: myuser@mydomain)
as opposed to a line like this
2006-11-03 15:13:26 1Gfyjb-0002tc-MN H=orion.smartsurv.com [196.23.50.131] Warning: FOUND THIS ATTACHMENT (jpg) (rcpt to: myotheruser@mydomain)
I did this as a test to see what type of file extension am I passing / allowing. So what this means is that the .exe got past the first ACL.
So this is just a word of caution to those out there using / doing the same method as I.
HTH
Kind Regards
Brent Clark
