[Tickets #12062] Re: Mime parser fails to parse multipart message
noreply at bugs.horde.org
noreply at bugs.horde.org
Wed Feb 27 12:29:41 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12062
------------------------------------------------------------------------------
Ticket | 12062
Updated By | Thomas Jarosch <thomas.jarosch at intra2net.com>
Summary | Mime parser fails to parse multipart message
Queue | Horde Framework Packages
Version | Git master
Type | Bug
State | Unconfirmed
Priority | 1. Low
Milestone |
Patch | 1
Owners |
------------------------------------------------------------------------------
Thomas Jarosch <thomas.jarosch at intra2net.com> (2013-02-27 12:29) wrote:
> But whatever Cyrus and *certain* versions of Dovecot do is
> irrelevant. The issue still remains that a large number of IMAP
> servers **won't** parse these messages. By Timo's own numbers, this
> is at LEAST 40% of the servers out there (just counting the number
> of Courier installs and a reasonable estimate of the number of
> servers running the old dovecot software:
> http://www.openemailsurvey.org/)
Interesting survey. Too bad it does not contain any date information
when it last scanned the IPs or provide the test script. Would be interesting
to see if it detects my local server as cyrus imapd.
>> What could go wrong if we do the same (to be more relaxed on parsing)?
>
> 1. I know for a fact (because I have dealt with them personally)
> that certain SPAM/Antivirus tools WON'T parse a message missing the
> MIME-Version header as a MIME message. So it becomes absolutely
> trivial to bypass security checks on these machines by doing
> something like this:
I've done the following test:
- create a message with an attachment
- strip all headers except: Date, To, From, Subject and Content-Type
- place it on a POP3 server
- fetch it with a client and check if it still parses the MIME message
Results:
Outlook 2003: Ignores missing MIME-Version, shows attachment
Outlook 2010: Ignores missing MIME-Version, shows attachment
Thunderbird 17.0.3: Ignores missing MIME-Version, shows attachment
So this "antivirus" solution you mentioned is pretty useless
in the real world if it can be fooled by a missing MIME-Version header.
Also the perl-MIME-tools 5.427 used by the popular amavisd-new email
content scanner (antivirus / antispam tool) also checks for
"multipart" in the Content-Type header only.
So that's already quite a big security "breach" ;)
-> I don't think it's a security issue since the popular MUAs tested
above ignore it.
Only Courier IMAP seems to be stubborn about this, it clearly discards
the content when the MIME-Version header is missing.
Thomas
More information about the bugs
mailing list