[Tickets #12062] Re: Mime parser fails to parse multipart message

noreply at bugs.horde.org noreply at bugs.horde.org
Wed Feb 27 12:29:41 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12062
------------------------------------------------------------------------------
  Ticket             | 12062
  Updated By         | Thomas Jarosch <thomas.jarosch at intra2net.com>
  Summary            | Mime parser fails to parse multipart message
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              | 1
  Owners             |
------------------------------------------------------------------------------


Thomas Jarosch <thomas.jarosch at intra2net.com> (2013-02-27 12:29) wrote:

> But whatever Cyrus and *certain* versions of Dovecot do is  
> irrelevant.  The issue still remains that a large number of IMAP  
> servers **won't** parse these messages.  By Timo's own numbers, this  
> is at LEAST 40% of the servers out there (just counting the number  
> of Courier installs and a reasonable estimate of the number of  
> servers running the old dovecot software:  
> http://www.openemailsurvey.org/)

Interesting survey. Too bad it does not contain any date information
when it last scanned the IPs or provide the test script. Would be interesting
to see if it detects my local server as cyrus imapd.

>> What could go wrong if we do the same (to be more relaxed on parsing)?
>
> 1. I know for a fact (because I have dealt with them personally)  
> that certain SPAM/Antivirus tools WON'T parse a message missing the  
> MIME-Version header as a MIME message.  So it becomes absolutely  
> trivial to bypass security checks on these machines by doing  
> something like this:

I've done the following test:
- create a message with an attachment
- strip all headers except: Date, To, From, Subject and Content-Type
- place it on a POP3 server
- fetch it with a client and check if it still parses the MIME message

Results:
Outlook 2003: Ignores missing MIME-Version, shows attachment
Outlook 2010: Ignores missing MIME-Version, shows attachment
Thunderbird 17.0.3: Ignores missing MIME-Version, shows attachment

So this "antivirus" solution you mentioned is pretty useless
in the real world if it can be fooled by a missing MIME-Version header.

Also the perl-MIME-tools 5.427 used by the popular amavisd-new email  
content scanner (antivirus / antispam tool) also checks for  
"multipart" in the Content-Type header only.
So that's already quite a big security "breach" ;)

-> I don't think it's a security issue since the popular MUAs tested  
above ignore it.

Only Courier IMAP seems to be stubborn about this, it clearly discards  
the content when the MIME-Version header is missing.

Thomas

More information about the bugs mailing list