[Esd-l] A variant of Klez.H is slipping by John's sanitizer
Brett Glass
brett at lariat.org
Wed May 22 10:51:02 PDT 2002
At 06:48 PM 5/21/2002, John D. Hardin wrote:
>On Tue, 21 May 2002, Brett Glass wrote:
>
>> A variant of Klez.H seems to be slipping by John's sanitizer.
>> (Thankfully, we caught it at a later stage of checking.) Has anyone
>> besides me observed this?
>
>Can you provide a sample?
Unfortunately, it was dismantled at the next stage of checking.
It *looked* as if the name of the attached file was simply
"results", but it could have had quotes or semicolons in it.
Since Klez relies upon active content, it may be that your
sanitizer would have kept the attachment from being launched
automatically. But it would have reached the user.
>I *have* seen a few examples where it's glommed onto a file with
>semicolons in the name, and that is confusing the
>quote-an-unquoted-attachment-name sanitize step, yielding something
>like:
>
> Content-Type: blahblahblah; name="fnord";fnord;fnord.bat
>
>I don't know how a mailer parses this. Probably in the Worst Possible
>Manner.
It may depend upon the client.
>I'm going to work on quoting an unquoted filename with embedded
>semicolons properly.
If this was the problem, it should nail the worms that are slipping
through.
--Brett
More information about the esd-l
mailing list