[7473] in bugtraq
procmail workaround for MIME filename overflow exploit
daemon@ATHENA.MIT.EDU (Brett Glass)
Wed Jul 29 20:15:27 1998
Date: Wed, 29 Jul 1998 13:47:11 -0600
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
To: BUGTRAQ@NETSPACE.ORG
John Hardin has just updated his procmail "kit" to shorten long file names
on MIME attachments. This should prevent potential exploits in mail clients
such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora
(there's still some debate about whether Eudora is susceptible).
John's procmail filter kit can be found at
http://www.wolfenet.com/~jhardin/procmail-kit.html
You can view his "recipe" for solving the problem at the end of the file
http://www.wolfenet.com/~jhardin/html-trap.procmail
I have no idea whether his solution is bulletproof (we should all probably
review it to be sure!), but it certainly looks good. Admins: it'd be a
fantastic idea to install this NOW to protect users, unless anyone knows of
security holes in procmail.
--Brett Glass
