MIME::Tools Perl Module and Virus Scanners Security Issues
5 Jun. 2002
Summary
MIME::Tools is a very nice Perl module for parsing and constructing MIME-encoded mail messages. MIME::Tools works very well on valid MIME messages. However, there are a number of problems if you use it to implement server-based mail scanning.
Credit:
The information has been provided by David F. Skoll.
Problem 1 - RFC 2231 encoding not supported: RFC2231 specifies (yet another) way to encode filenames in MIME messages. MIME::Tools will not correctly recognize this attachment as "foo.exe":
MIME::Tools interprets the name field as "bad" in this case, and throws away the " boy.exe" part. Unfortunately, most Windows mail clients make the "obvious" interpretation and recognize the name as "bad boy.exe"
Problem 3 - Incorrect concatenation of encoded MIME words:
MIME::Tools does not remove the space from this example:
(=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=)
To yield (ab); instead, it yields "(a b)" Some MUA's use encoded MIME words in the Content-Type or Content-Disposition fields. Although this is specifically disallowed by RFC 2047, again, some Windows mail clients may make the "obvious" interpretation and decode the words.
Technical summary:
Problems 1 and 3 are real deficiencies in MIME::Tools. Problem 2 is not a deficiency in MIME::Tools itself, but that is cold comfort if a virus slips through your server-based scanner.
Users of MIMEDefang
If you use MIMEDefang (which uses MIME::Tools), you may want to unconditionally call action_rebuild in filter_begin(). This forces the MIME message to be rebuilt by MIME::Tools, resulting in a valid MIME message. This should guarantee that the MUA interprets the message exactly as MIME::Tools did, but it may introduce unacceptable processing overhead.
Vendor Status:
The vendor has been contacted on 30 May, no response yet.
