[Esd-l] A variant of Klez.H is slipping by John's sanitizer

John D. Hardin jhardin at impsec.org
Tue May 21 17:57:00 PDT 2002

On Tue, 21 May 2002, Brett Glass wrote:

> A variant of Klez.H seems to be slipping by John's sanitizer. 
> (Thankfully, we caught it at a later stage of checking.) Has anyone 
> besides me observed this?

Can you provide a sample?

I *have* seen a few examples where it's glommed onto a file with
semicolons in the name, and that is confusing the
quote-an-unquoted-attachment-name sanitize step, yielding something

    Content-Type: blahblahblah; name="fnord";fnord;fnord.bat

I don't know how a mailer parses this. Probably in the Worst Possible

I'm going to work on quoting an unquoted filename with embedded
semicolons properly.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   367 days until The Matrix Reloaded

More information about the esd-l mailing list