anomy-bugs

sanitizer: inline images, false positives with T'bird

From: Doug McCasland (30551@xyz.molar.is)
Date: Tue 27 Jul 2004 - 23:43:41 GMT

  • Next message: Doug McCasland: "sanitizer: inline images, false positives with T'bird"

    F-Prot AVES: Bréfi breytt.
    | 1 HTML merki gerđ óvirk af öryggisnetinu.
    | Skýrsla: https://aves.frisk.is/m?i=YnDId4GOIPhQ82_6Z,QQbsTjvEDQ@mx0.is105

    Hi,
         I found an interesting problem.
         I composed a msg with Moz. Thunderbird in HTML format. Used Insert|Image and put in a gif file in the message body. When I sent it to myself Anomy accepted it.
         When my wife did the same thing from her installation of T'bird, Anomy deleted the attachment. The only difference: her sender address in .com, mine is in .net.
         The message source has this in the HTML attachment:

    <img alt="" src="cid:30673@xyz.molar.is" ...

    AVES_The AVES_cid AVES_content AVES_ID AVES_tag AVES_refers AVES_to AVES_the AVES_image AVES_attachment AVES_later AVES_in AVES_the AVES_message::

    AVES_Content-Type: image/gif; name="image.gif"
    AVES_Content-Transfer-Encoding:
       AVES_base64 AVES_Content-ID: <30673@xyz.molar.is>
    Content-Disposition: inline; filename="image.gif"

         From the Anomy logs:

    [Attachment accepted]
    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="30727@xyz.molar.is, image.gif", mimetype="image/gif"):

    [Attachment deleted]
    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="30673@xyz.molar.is, image.gif", mimetype="image/gif"):

    As you can see, T'bird uses the sender domain to make the Content-ID name. ".net" is not a known threat, so it was accepted. ".com" is obviously an unacceptable extension, so it was dropped, even though the .com had nothing to do with the attached file's contents.
         From the Sanitizer.pm code:

    sub SanitizeFile
    ..
     foreach my $h ("_description", "_id")
            {
                foreach my $v (map { ($_->{"data"}, $_->{"raw"}) }
                        $part->GetMIMEAttributes("(?i)^$h\$"))
                    {
                        $v = $1 if ($v =~ /^<+(.*?)>+\s*$/);
                            push @filenames, $v if ($v =~ /\./);
                    }
            }
    ..

    When I comment out this loop, the log shows:

    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="image.gif", mimetype="image/gif"):

    which is properly accepted. I'm not sure what the loop does (or why), I suppose certain malware can somehow be transmitted in a Content-ID? I'm leaving the loop commented out for now. Since I use ClamAV before Anomy, I'm not that concerned about actual malware inside HTML.
         What do you think?

    --
    Doug McCasland   Healdsburg, California   <30551@xyz.molar.is>
    



    hosted by molar.is