Corsaire Security Advisory - Multiple vendor MIME field whitespace issue Title: Multiple vendor MIME field whitespace issue Date: 04.08.03 Application: various Environment: various Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c030804-003 Scope This document defines a MIME content evasion issue affecting various products like browsers, proxy servers, email clients, content security gateways, and antivirus products. Overview Content security gateways and antivirus products block embedded file attachments based on their content type but can be evaded by malformed MIME encoding techniques using non-standard whitespace. Analysis MIME standards (RFC2045, RFC822, RFC2822) allow for whitespace between elements. Interpretation varies across vendors. Security products may fail to detect threats due to inconsistent whitespace handling. Receiving agents may: Identify the MIME message as malformed and block it (correct behavior). Fail to interpret the MIME field. Recommendations Security products should process encoding techniques as per standards and handle common misinterpretations. Vendors should identify applications that decode MIME objects liberally. CVE CVE assigned: CAN-2003-1015 References 1. RFC2045: http://www.faqs.org/rfcs/rfc2045.html 2. RFC822: http://www.faqs.org/rfcs/rfc822.html 3. RFC2822: http://www.faqs.org/rfcs/rfc2822.html 4. MIME issues: http://www.uniras.gov.uk/vuls/2004/380375/mime.htm