There will be code to address this in revision 1.49, to be released
either today or tomorrow depending on my workload.
My approach is to simply defang all bare <CR> characters in the message
header, so Outlook will interpret the header like it should. If anyone
has a better idea, I'd be happy to hear it.
On 2002-02-13, 17:18:07 (-0500), Jim Rosenberg wrote:
> Bjarni, I don't know if you've seen this or not; I'm way behind on
> all my Internet mailing lists so I'm not sure if this has already
> come up on Anomy-list (this is a backchannel message.)
Actually, I subscribe to bugtraq and picked it up there. It hadn't
been mentioned on this list yet.
> Since Anomy is in perl I'd be *REALLY* surprised if it isn't
> vulnerable to these attacks; sounds like this is a way for an .exe to
> sneak right through anomy -- ouch.
Has little to do with being written in perl. :-)
> Take a look -- I haven't tested anything to see if this mechanism can
> sneak through Anomy -- I may try it from home tonight.
>
> -Thanks, Jim
>
> ------- Forwarded message follows -------
[snip]
>
> This report is, in slightly modified form, also available on
> http://www.openoffice.nl/special_interest/outlookbug.html
>
[snip]
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 36414@xyz.molar.is -><- http://bre.klaki.net/Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send plenty of email to: 36539@xyz.molar.is