Re: Another possible RFC 2046 vulnerability.

[Earl Hood <earl () earlhood com>]

On September 27, 2002 at 13:01, Jose Marcio Martins da Cruz wrote:

> What's interesting is that in this case the message and the malicious
> code passes through two different network paths : messages is sent by
> mail and the malicious code will be get by receiver by anonymous ftp.
>
> In the case of previous vulnerability (fragmented message), message and
> malicious code uses the same network path.
>
> Classical mail server virus scanners will never see the malicious code
> pass through it, as they will never have available entire malicious
> code.

Since the external-body type uses other standard network protocols, then
the security policies of a company for other protocols (like ftp) would
take effect.  It is no different than if someone sends a message
to someone saying "go download ftp://....";.

> I can't say anything about others mail clients, as I'm sick at home and
> I have no access to other MUAs. 

The venerable MH, and its successor nmh, support the
message/external-body type.

The only real security risk is if a badly designed MUA automatically
retrieves the data specified in a message/external-body (and RFC 2046
gives a warning about this).  Otherwise, it poses the same security
problems as someone including a URL in a regular mail message (which
many MUAs automatically convert into a hyperlink).

--ewh

P.S.  You may be interested in RFC 2017 that defines the URL access
type for message/external-body.