[31803] in bugtraq
Re: base64
daemon@ATHENA.MIT.EDU (MightyE)
Thu Sep 25 16:29:23 2003
Message-ID: <3F733235.6010206@mightye.org>
Date: Thu, 25 Sep 2003 14:21:41 -0400
From: MightyE <trash@mightye.org>
MIME-Version: 1.0
To: Bennett Todd <bet@rahul.net>
Cc: Lawrence MacIntyre <lpz@ornl.gov>, bugtraq@securityfocus.com
In-Reply-To: <20030925153009.GA5716@rahul.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
This is a remarkably good and simple approach (thus I'm a bit abashed
that I didn't think of it), and permits liberal acceptance, with out
exposing the user to a targeted intentional malformation of base64
encoded data. Accept all mis formed data, make a best guest as to what
it is (or follow RFC on how to handle this where applicable), check the
result, and pending acceptance, write it to the user's mail file, in its
newly interpreted form.
Eric Stevens
mightye a@t mightye d.o.t org
Bennett Todd wrote:
>2003-09-25T09:06:58 MightyE:
>
>
>>There are two methods which you can use in the writing of your
>>email virus scanner; you can either decode it every known way that
>>any client does so, [...] Alternatively you can accept it only if
>>it is properly encoded, [...]
>>
>>
>
>There's a third method, which I think is rather better than either
>of those.
>
>You can re-code everything into a canonical form. Some email client
>drop some punctuation characters in filenames? Delete all such
>characters from filenames. Different tools handle various i18n
>encoded filenames differently? Map to US-ASCII. Enforce length
>limits. Recode base64. Recode uuencoded chunks. Regularize
>non-standard MIME.
>
>Do all this canonicalization before the message hits your
>attachment type policy enforcement and malware scanner, so they only
>have to deal with the common forms that everybody handles the same.
>
>-Bennett
>
>
