[Esa-l] HTML.dropper (fwd)

John D. Hardin jhardin at wolfenet.com
Fri Jan 19 21:45:58 PST 2001 

On Fri, 19 Jan 2001, Bjarni R. Einarsson wrote:

Options:

> > collapse all runs of blanks. 

Simple, but will break spam rules trapping on /          [0-9]+$/

I'm also reluctant to twiddle things that people can see (vs.
modifying metadata in the headers).

> > look for a long subject header ending
> > with \.[a-z0-9][a-z0-9][a-z0-9] and defang that.

Tougher, and possibly ineffective if it's a truncation bug. It may
also generate a DoS given the exact nature of the bug in Outlook.

>  - Outlook will use the Subject as a file name, if no file name
>    is provided in the MIME headers.  So we have to add the Subject:
>    line to our list of fields-to-mangle.

No, I don't think so. Subject: is too free-form for such checking to
be reliable.

>  *sigh*  I'm tempted to do 
>    so conditionally - only when filename="" tags are missing from 
>    the MIME headers, since long subject lines are very useful.

Better still: in a MIME header specifying a content-type other then
text/ message/ or multipart/, if no name="whatever" clause is provided
then insert one. This should take care of the Outlook
subject-becomes-filename hack.

Comments?

I have a test version of this if anyone wants to beat on it. You can
also send exploit attempts to me at <jhardin at wolfenet.com> if you
like.

> On 2001-01-19, 09:19:45 (-0000), Shane Hird wrote:
> > 
> > It seems OE is cutting the file name short to a 
> > specified length when trying to open it (consequently 
> > chopping off the real extension), but not cutting it 
> > short when determining which icon to use. (Note that 
> > the icon choice doesn't seem to be affected like this 
> > with the subject overflow problem.)

The example given in this post - a very long filename overflowing a
buffer and dropping the extension - is defanged by the existing
truncate-excessively-long-filename sanitization.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.
                                  -- Charles Murray
-----------------------------------------------------------------------
   15 days until she returns

More information about the esd-l mailing list