关键信息 Title: Clearswift MAILsweeper MIME attachment evasion issue Date: 03.03.03 Application: Clearswift MAILsweeper 4.x Environment: Windows NT 4.0, Windows 2000 Author: Martin O'Neal Audience: General distribution Scope The document defines a MIME attachment evasion issue in the MAILsweeper product. History Vendor notified: 03.03.03 Uncoordinated vendor advisory released: 05.03.03 Document released: 06.03.03 Overview The MAILsweeper product provides policy-based email content security, but malformed MIME encapsulation can evade its functionality. Analysis Attachment detection works by recursively analyzing the email message for MIME constructs. Malformed MIME encapsulation can make MAILsweeper fail to recognize attachments, allowing them to pass. Proof of Concept Removing the MIME-Version header field can make MAILsweeper fail to spot the attachment. Recommendations MAILsweeper must handle both standard and misinterpreted MIME encoding techniques. A study project should identify applications that misinterpret MIME standards. CVE Assigned name CAN-2003-0121 (candidate for CVE inclusion). References 1. [1] Clearswift.com 2. [2] RFC 2045 3. [3] Clearswift script tool