| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Dec 2008 11:03:50 -0800 From: "Kurt Buff" <kurt.buff@...il.com> To: "Bernhard Brehm" <bruhns@...urity-labs.com> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: DoS attacks on MIME-capable software via complex MIME emails On Mon, Dec 8, 2008 at 2:56 PM, Bernhard Brehm <bruhns@...urity-labs.com> wrote: > Valdis.Kletnieks@...edu said: >> >> You want *real* loads of fun? Go read up on message/partial ;) >> <snip> > The situation is quite similiar to the reason, why MTAs like sendmail > are no real target for such attacks: No server should try to convert > 8bit encoding to 7bit encoding any more. Nobody needs to split a message > into several parts for transfer and expects the mailclient to reassemble > the parts. Not all pieces of MIME-related software really need to > understand these rather obscure content-types. Not exactly true. There might not be any clients which support it currently (don't know, myself) but *my* users are constantly trying to send huge messages that I don't allow for size reasons. Breaking them apart into chunks automatically for automatic reassembly by the recipient would very much appeal to them. Kurt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists