From: SourceForge.net <no...@so...> - 2006-09-27 13:53:12
|
Support Requests item #1393516, was opened at 2005-12-30 02:09 Message generated for change (Comment added) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1393516&group_id=11118 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: blocking Group: None Status: Closed Priority: 5 Submitted By: vorkoster (vorkoster) Assigned to: Fabian Keil (fabiankeil) Summary: How to block WMF files by MIME type? Initial Comment: Hi, is it possible to block potentially malicious WMF files by MIME type (header)? http://isc.sans.org/diary.php?storyid=972 See the recent "WMF-Exploit" at http://www.securityfocus.com/bid/16074/info Cheers, -Michael ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-09-27 06:53 Message: Logged In: NO Ah of course, very true. Must RTFA next time. :-) ---------------------------------------------------------------------- Comment By: vorkoster (vorkoster) Date: 2006-09-27 05:59 Message: Logged In: YES user_id=1083417 Finally, some life in here :) As I didn't want to wait some nine months <g>, I used a Squid ACL for this: ---------------------------------- acl WMF-EXPLOIT1 urlpath_regex -i \.(avi|mpg|mpeg|emf|wmf|dib|bmp|tif|tiff|jfif)($|\?) deny_info ERR_WMF WMF-EXPLOIT1 http_access deny WMF-EXPLOIT1 ---------------------------------- Thanks for responding nevertheless. ---------------------------------------------------------------------- Comment By: Fabian Keil (fabiankeil) Date: 2006-09-27 04:48 Message: Logged In: YES user_id=875547 Adam, you may block some of them based on their URL, but you are certainly not blocking them based on their MIME type and you will miss a lot. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-09-27 04:38 Message: Logged In: NO I block them period, and have never come across any missing images due to it. You could also just block them from .biz domains and numerical addresses which cuts out a lot of the domains that spread malicious WMF files, I believe. Adam Piggott. ---------------------------------------------------------------------- Comment By: Fabian Keil (fabiankeil) Date: 2006-09-27 03:47 Message: Logged In: YES user_id=875547 Currently it isn't. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1393516&group_id=11118 |