Inline :-)
re-ordered for your top down reading pleasure.
>>> why not block traffic you're not supposed to
see? yes, block requests to /etc/passwd (and other naughty
actions) across all ports from the outside world into your dmz.
why wouldn't you?
The simple answer is because this mail would have never reached us
and likely will not reach many already.
CAT /ETC/PASSWD is also a perfectly valid Unix command on some
systems in all caps.
Do you think that this mail can be processed and confidently
assured to be safe?
Ignoring the top posting habit,
what ever floats ur boat dood.
Yes. Mail bodies traditionally are not run through eval(), but
pattern matched. Stuff sent to scripts through mail is a different
beast, and in general, that code is well written.
Hrm. I'm pretty sure that attackers can comply with "traditionally"
and yet still win. I also wouldn't agree that the scripts that handle
automation are generally well written. This entire industry is based on
failures in the same assumptions you are making here.
I have never seen any situation where a mail body contained a script
which would be run automatically on a Unix system. Plus, you can just
use a current scanner like amavisd-new to only allow valid commands
to be sent to the script (per recipient specifications).
Just because you have not seen it does not mean it is not there.
Reference any outlook vuln or the below sendmail vuln.
http://www.securityfocus.com/bid/6991
http://www.securityfocus.com/archive/1/313757
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
