I wouldn't necessarily call this a vulnerability. I ran into this when writting the Regex Scanner for QSQ. Find $skip_text_msgs and set it to 0 so that all e-mails, including plain text, are scanned.
This only applies to the 1.2x versions, 1.1x don't have this feature. John Narron | "Sacrifice, they always say Network Administration | Is a sign of nobility CDS/CDSinet, LLC | But where does one draw the line http://www.cdsinet.net | In the face of injury?" (660) 886 4045 | - Queensryche ----- Original Message ----- From: "Dallas L. Engelken" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 08, 2004 10:21 AM Subject: [Qmail-scanner-general]QS Vulnerability - Exploiting "No virus scan on plain text messages" > I was looking through the code on 1.21 and saw that virus scans are > disabled on plain text messages... This can be a problem when a plain > text message with an old style Uuencoded attachment is in-lined into a > message using begin and end statements... Take the following email for > example... (note I snipped the attachment so don't try to make this > jpeg load cuz it wont.. you want a copy of the message, email me, cuz > its too large for this list's 40kb limit). =20 > > -------------START MSG-------------------- > > Return-Path: <[EMAIL PROTECTED]> > Received: from 206.103.112.7 (EHLO kdsi.net) (206.103.112.7) > by mta130.mail.scd.yahoo.com with SMTP; Fri, 12 Mar 2004 20:01:51 > -0800 > Received: (qmail 11633 invoked from network); 13 Mar 2004 04:01:24 -0000 > Received: from unknown (HELO 56kdialnp3.kdsi.net) (204.117.238.3) > by dns.kdsi.net with SMTP; 13 Mar 2004 04:01:24 -0000 > Received: by 56kdialnp3.kdsi.net with Microsoft Mail > id <[EMAIL PROTECTED]>; Fri, 12 Mar 2004 > 22:00:55 -0600 > From: Kathy Scott <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: FW: Mom & Russell > Date: Fri, 12 Mar 2004 21:58:39 -0600 > Encoding: 27 TEXT, 1467 UUENCODE > X-MS-Attachment: mom & russell.jpg 0 00-00-1980 00:00 > Content-Length: 69836 > > > > ---------- > From: Kathy Scott[SMTP:[EMAIL PROTECTED] > Sent: Tuesday, March 09, 2004 11:14 PM > To: 'Linda Dirks' > Subject: FW: Mom & Russell > Importance: High > > =20 > > ---------- > From: Kathy Scott[SMTP:[EMAIL PROTECTED] > Sent: Saturday, February 21, 2004 12:27 AM > To: 'Linda Dirks' > Subject: Mom & Russell > Importance: High > > This is mom, so I think this would have to be Russell? I think mom has=20 > this picture, or one like it? I think it was taken over on the old > place=20 > on the creek. It's got the dugout on the hill - looks like where the=20 > dugout was that mom said Gm Edwards stayed in when they lived there, > before=20 > they moved over to the big house we knew. > > > > > > ---------------------------------------------------------------------------- ---- > > ------------END MSG------------------------ > > Inject this message to yourself and see how your email client handles > it... Outlook 2000 shows me an attachment, so does Yahoo Mail. > > Here is the proof that QS bypasses Virus Scans on it.... > > Thu, 08 Apr 2004 10:14:43 -0500:17737: from=3DKathy Scott > <[EMAIL PROTECTED]>,subj=3DFW: Mom & Russell, > x-qmail-scanner-message-id=3D<[EMAIL PROTECTED]>= > > via local process 17737 > Thu, 08 Apr 2004 10:14:43 -0500:17737: This is a PLAIN text message > (because it's either not mime, or is text/plain), skip virus scanners - > but not SA > > I can do the same thing with an embedded exe. Beware if you are using > 1.21... I'm not sure what other version are effected.. I know 1.15 is > safe because that is what I'm still using. > > If anyone finds any flaws in my reasoning here.. Please let me know. > > Dallas Engelken > Linux Administrator > Network Management Group, Inc. > > > > > > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Qmail-scanner-general mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general > > ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
