"David F. Skoll" wrote:
>
> MIMEDefang itself doesn't "know" anything, but the sample filter which
> comes with it will correctly (?!) reject ".exe." as well as ".exe"
>
> [huge snip]
>
> # Bad extensions
> $bad_exts ='(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
> inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|
> reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';
I just feel I have to add this: blocking "known bad" extensions won't
buy much. Have you tried creating a word document, e.g. "asdf.doc"
and then change the extension to, for instance, "asdf.unkext"?
It'll happily launch MS word without asking for an app to run.
Further verify this buy renaming "qwer.xls" to "qwer.unkext".
Clicking _that_ document will indeed launch MS excel, again without
asking for an app to run.
The windows shell apparently has hooks for checking the _file contents_
for associations when they don't recognize the file extension. The
office suite makes use of this. (I believe this was mentioned here
on bugtraq a couple of months ago.)
So, the only approach that really works is a white-list approach.
And add to that, a white-list that ONLY lets through extensions
that you KNOW that the vast majority of the installed user base
has associated handlers for. Removing the handler for ".zip" (or
not installing winzip) and clicking on "renamedexcelsheet.zip"
will, of course, launch Excel.
Regards,
/Mikael Olsson
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
Received on Jun 13 2002
Intro
