The attachment spoken of in the bug report you are linking to is an .html file, so it is likely it would attempt to execute if opened in a browser. And it could do things with a malicious site.
I don't see a case of a .doc file attachment being malicious, or even being spoofed. Is there another? - Dennis -----Original Message----- From: TJ Frazier [mailto:[email protected]] Sent: Wednesday, August 31, 2011 16:36 To: [email protected] Subject: Re: [ooo-user] was RE: [email protected] [Was: Re: [Discussion] [email protected]] On 8/31/2011 19:01, Eike Rathke wrote: > Hi Dennis, > > On Wednesday, 2011-08-31 14:17:38 -0700, Dennis E. Hamilton wrote: > > [... reordering quotes and adding a quote level for better readability, > stripping rest ...] > >> From: TJ Frazier >>> Funny you should mention that. That very problem occurred on Bugzilla, >>> with DOC attachments bearing Trojan viruses. --/tj/ > >> Wow! >> >> When was that? > > Last year? But I think what TJ was referring was a case of .doc > attachments to make them look like a testcase but instead contained > a JavaScript snippet redirecting the browser to a different site that > tried to install malware. Quite clever. Yes, H. Duerr provided a link to the issue: https://issues.apache.org/ooo/show_bug.cgi?id=113088 The spammers' accounts have apparently been removed, but some of the attachments may have survived. I found a couple of attachments attributed to "Unknown". This might happen if the account was deleted before all "contributions" were removed. --/tj/ > >> I assume that bugzilla still accepts attachments (we were talking about >> lists). > > A bug tracker _has_ to accept attachments, without it is useless in many > cases. > >> What do we do to protect it? > > How about a virus scan on attachments? That probably wouldn't help > against the JavaScript case though. Virus scans could even be done for > mail attachments before the mailing list distributes them. Question is > if Apache infra supports both cases. > > Eike >
