[Esd-l] A variant of Klez.H is slipping by John's sanitizer
John D. Hardin
jhardin at impsec.org
Tue May 21 17:57:00 PDT 2002
On Tue, 21 May 2002, Brett Glass wrote:
> A variant of Klez.H seems to be slipping by John's sanitizer.
> (Thankfully, we caught it at a later stage of checking.) Has anyone
> besides me observed this?
Can you provide a sample?
I *have* seen a few examples where it's glommed onto a file with
semicolons in the name, and that is confusing the
quote-an-unquoted-attachment-name sanitize step, yielding something
like:
Content-Type: blahblahblah; name="fnord";fnord;fnord.bat
I don't know how a mailer parses this. Probably in the Worst Possible
Manner.
I'm going to work on quoting an unquoted filename with embedded
semicolons properly.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"To disable the Internet to save EMI and Disney is the moral
equivalent of burning down the library of Alexandria to ensure the
livelihood of monastic scribes."
-- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
367 days until The Matrix Reloaded
More information about the esd-l
mailing list