|
|
|
|
| |
| MIME::Tools is a very nice Perl module for parsing and constructing MIME-encoded mail messages. MIME::Tools works very well on valid MIME messages. However, there are a number of problems if you use it to implement server-based mail scanning. |
| |
Credit:
The information has been provided by David F. Skoll.
|
| |
Vulnerable systems:
* MIME::Tools version 5.411a
Problem 1 - RFC 2231 encoding not supported:
RFC2231 specifies (yet another) way to encode filenames in MIME messages. MIME::Tools will not correctly recognize this attachment as "foo.exe":
Content-Disposition: attachment; filename*1="foo."; filename*2="exe"
Problem 2 - Rejection of "obvious" interpretation of malformed MIME:
The following MIME header is valid:
Content-Type: application/octet-stream; name="bad boy.exe"
But this header is not:
Content-Type: application/octet-stream; name=bad boy.exe
MIME::Tools interprets the name field as "bad" in this case, and throws away the " boy.exe" part. Unfortunately, most Windows mail clients make the "obvious" interpretation and recognize the name as "bad boy.exe"
Problem 3 - Incorrect concatenation of encoded MIME words:
MIME::Tools does not remove the space from this example:
(=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=)
To yield (ab); instead, it yields "(a b)" Some MUA's use encoded MIME words in the Content-Type or Content-Disposition fields. Although this is specifically disallowed by RFC 2047, again, some Windows mail clients may make the "obvious" interpretation and decode the words.
Technical summary:
Problems 1 and 3 are real deficiencies in MIME::Tools. Problem 2 is not a deficiency in MIME::Tools itself, but that is cold comfort if a virus slips through your server-based scanner.
Unofficial Patch:
A patch that corrects problems 1-3 and does not break any MIME::Tools regression tests is at http://www.roaringpenguin.com/mimedefang/mime-tools-patch.txt
Users of MIMEDefang
If you use MIMEDefang (which uses MIME::Tools), you may want to unconditionally call action_rebuild in filter_begin(). This forces the MIME message to be rebuilt by MIME::Tools, resulting in a valid MIME message. This should guarantee that the MUA interprets the message exactly as MIME::Tools did, but it may introduce unacceptable processing overhead.
Vendor Status:
The vendor has been contacted on 30 May, no response yet.
|
|
|
|
|
|
|
