Re: base64

From: MightyE (trash_at_mightye.org)
Date: 09/24/03

  • Next message: der Mouse: "Re: Privacy leak in VeriSign's SiteFinder service #2"
    Date: Wed, 24 Sep 2003 15:13:57 -0400
    To: bugtraq@securityfocus.com
    
    

    I agree, I don't think it's unreasonable to reject improperly formatted
    messages. Chances are much higher that they're spam or virii, and the
    minority with broken clients will find their way to non-broken clients.
    If you are parsing the message, particularly looking for malware, and
    encounter an improper encoding, bounce the message with a meaningful
    error, this way you don't have to worry about a targeted exploit that
    depends on the way one email client (mis)interprets a message in a
    different way from your virus scanner.

    The RFC does declare an = to indicate that the end of the data stream
    has been reached, further data should be truncated, though it seems each
    email client actually handles this differently. Take the low road
    catchall, and simply reject them as a matter of course.

    -Eric Stevens
    mightye a@t mightye d.o.t org

    Christian Vogel wrote:

    >Hi,
    >
    >On Tue, Sep 23, 2003 at 07:50:56PM +0300, Alexander Ogol wrote:
    >
    >
    >>decision in all situations. Some mailing lists (debian-russian, for example)
    >>add some 7bit information after letter body while re-forwarding, regardless
    >>of was the letter base64/QP encoded or not, resulting of such malformed
    >>
    >>
    >
    >Then this software is severly broken (MIME-wise), imho, and needs to be
    >updated/changed/dumed.
    >
    >
    >
    >>So I think that the right solution (before antivirus software would be
    >>rewritten) is to write filters by yourself - decode base64 as that do
    >>popular mail clients and give them to antivirus.
    >>
    >>
    >
    >With this approach, you are always on the "one step behind" side of
    >the problem. It's only a matter of time that someone finds out that
    >(made up example:) you can use a UTF8-mis-encoded "=" in Microsoft's
    >base64-decoder... The only sane way is to check if it's in the
    >standard-form ("abcABC=") and reject or convert if it's not.
    >
    >99.99% of all software should create the standard form, so please
    >let the tiny fraction of users with broken software suffer
    >when their mails get rejected.
    >
    >(Note: this of course applies not only to Base64 but to all aspects
    > of header-parsing, file-format guessing etc...)
    >
    > Chris
    >
    >
    >


  • Next message: der Mouse: "Re: Privacy leak in VeriSign's SiteFinder service #2"

    Relevant Pages

    • Re: File transfers from LAN clients to Sharepoint get corrupted
      ... There's no antivirus software running on the server -- we use several layers ... I'll try replicating the problem from LAN clients that use different ... Sharepoint via Web folders? ...
      (microsoft.public.windows.server.sbs)
    • Re: Client configuration
      ... Be sure to disable any antivirus software. ... Internet security installed on the clients, ... 331072 "DNS Name Does Not Exist" Error When Joining Windows XP to an SBS 200 ... Microsoft Windows Small Business Server 2003 ...
      (microsoft.public.windows.server.sbs)
    • Require Anti Virus Software for Windows Server 2008?
      ... Is it possible to use Windows Server 2008 within a domain in which all ... clients (each with antivirus software) are connected to the internet without ...
      (microsoft.public.security.virus)