[25689] in bugtraq
Re: MIME::Tools Perl module and virus scanners
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Fri Jun 7 16:34:57 2002
Mime-Version: 1.0
Message-Id: <p05111a04b92592ef3341@[192.168.1.104]>
In-Reply-To: <20020604130809.EC1A1BC071@spike.porcupine.org>
Date: Thu, 6 Jun 2002 18:36:01 -0400
To: bugtraq@securityfocus.com
From: Kee Hinckley <nazgul@somewhere.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 9:08 AM -0400 6/4/02, Wietse Venema wrote:
>The proper approach is to eliminate such ambiguity, by normalizing
>data, that is, by transforming messages into a form that avoids
>all the grey areas where implementations err, or where RFCs are
>ambiguous.
Which is non-trivial, and also runs the risk of taking things that
passed a scanner and turning them into something dangerous.
The old adage for standards of "make your output conform strictly,
but be lenient in what you accept" simply isn't appropriate for a
secure environment. Microsoft has played very fast and loose with
what their software accepts (backslashes in URLs, mis-typed MIME
files that have their type determined by content...) and we are all
dealing with the consequences. That model worked well when the input
was from a user. It does not work well when the input is from
servers (which can be corrected) and untrusted sources (which should
be rejected).
I would go the other route with a scanner/interpreter. If the input
doesn't match your understand of the standard--reject it. Actually,
I was going to say, "or turn it into plain text", but there again we
run into the problem of software which is overly happy to interpret
what the remote sender "meant". I really don't think there's any
other safe solution.
Of course politically, if what you are rejecting is output by some
major vendor--you've got a problem.
--
Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
