[14408] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Smith, Eric V.)
Fri Mar 24 15:24:00 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1255"
Message-Id: <61475A6027E9D111BB25006008C3D3950CD3CD@eastnor.windsor.com>
Date: Fri, 24 Mar 2000 03:37:23 -0500
Reply-To: "Smith, Eric V." <EricSmith@WINDSOR.COM>
From: "Smith, Eric V." <EricSmith@WINDSOR.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I don't think that the problem of mime types described below is as rare as
Alon Rotem would have us believe. I've used any number of misconfigured web
sites where executables are transferred as "text/html". The standard
procedure is in fact to use "Save as". In fact, at one customer of mine
this was actually documented for the end users.
Is it eSafe's position that this customer just doesn't get any protection?
What arrogance.
I've never seen a problem where "ASCII conversion" (whatever that might be)
causes a problem with this procedure. I'm not sure what system would be
doing any conversion based on mime type. The file is just transferred as
is.
Eric.
> From: alonr@EALADDIN.COM [mailto:alonr@EALADDIN.COM]
> Another aspect of HTTP file protection taken by eSafe is the
> file's header
> which contains extra information about the file type (Mime
> type). It is
> indeed possible make an HTTP server transfer any file with a
> false mime
> type field. Note that HTTP clients (web browsers) treat files
> by their mime
> type. Files that are transferred by a mime of "text/html"
> would be opened
> in the browser window, and not considered as an executable
> that should be
> saved to disk. In order to pass an infection in such a case, the user
> should once again get highly involved: Open the browser
> window, initiate a
> "Save As..." procedure manually to the local disk and run the
> file. Also,
> note that transferring files in a "text/html" mime type would usually
> result in a conversion of the file to ASCII format, and will
> be displayed
> in the browser window with no control characters. Therefore,
> even saving
> and running the file would fail.
