Brett:
Another comment emailed to me this morning reminded me that it is valid to
use line-continuation within quoted strings, so something like:
Content-Type: ... name="AAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
...
AAAAAAAAAAAAAAAAAAAA
AAexploit-code-starts-here"
would be syntactically valid but would bypass my filters. I have modified
html-trap.procmail to append a close quote on the first line, but it does
NOT clean up the remaining lines. I figure this is good enough since you'd
probably only see an embedded line-continuation like this in an exploit
message - mail with a valid attachment with a long name would probably do
the line-continuation "at a higher syntactic level" as RFC822 suggests,
most likely breaking before the entire name="xxx" token - but it still
might BO due to overflow on the entire Content-Type header.
Take a look and let people know, since you seem to have adopted the mantle
of "Publicity Agent" :)
I figure that this is all leading up to a general purpose
MIME-header-sanitizing perl script, so I will direct my efforts at doing
that, but now I have to devote a few hours to my *paying* job... :)
--
John Hardin KA7OHZ
jhardin(_at_)wolfenet(_dot_)com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
86 days until Daylight Savings Time ends