Related information

Content filtering bypass for SMTP/HTTP in multiple products

[SA13869] SafeHTML Hexadecimal HTML Entities Security Bypass

[Full-Disclosure] Corsaire Security Advisory - Multiple vendor MIME Content-Transfer- Encoding mechanism issue

[Full-Disclosure] Corsaire Security Advisory - Multiple vendor MIME field whitespace issue

[Full-Disclosure] Corsaire Security Advisory - Multiple vendor MIME separator issue

From:	3APA3A <3APA3A_(at)_security.nnov.ru>
Date:	25.03.2002
Subject:	One more way to bypass NAV

Dear BUGTRAQ@SECURITYFOCUS.COM,

I've   updated   "Bypassing   content   filtering  software"  whitepaper
http://www.security.nnov.ru/advisories/content.asp to include new way to
bypass content filtering software. It confirmed to work with NAV and not
to work with McAffee and KAV (AVP).

Symantec      was     contected     via     support@symantec.com     and
symsecurity@symantec.com and didn't reply.

 13.Case sensitivity of Content-Type and Content-Disposition

 Most MUAs ignore case of Content-Type and Content-Disposition headres
 while content filtering software may behave in different way. It makes
 it possible to bypass content-filtering software by using header like

         CONTENT-type: text/plain;
               NAme=\"eicar.com\"

P.S. thanks to everyone on vuln-dev who participated in testing.

--
http://www.security.nnov.ru
        /\_/\
       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                   |/
You know my name - look up my number (The Beatles)