[36568] in bugtraq
Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Sat Sep 18 20:01:37 2004
Message-Id: <m1C8in6-0005FIC@proven.weird.com>
Date: Sat, 18 Sep 2004 13:14:28 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "Greg A. Woods" <woods@weird.com>
To: Borja Marcos <borjam@sarenet.es>
Cc: David Covin <dcovin@nmr.mgh.harvard.edu>,
"BUGTRAQ: Full Disclosure Security Mailing List" <bugtraq@securityfocus.com>
In-Reply-To: <4BE9238C-08A2-11D9-9E02-000D935143FC@sarenet.es>
Reply-To: "Greg A. Woods" <woods@weird.com>
[ On Friday, September 17, 2004 at 14:08:33 (+0200), Borja Marcos wrote: ]
> Subject: Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue
>
> If someone builds faulty software which generates bad MIME headers,
> such messages should be treated as hostile messages and dropped.
> Period.
You are 110% correct.
Thank you very much for saying that, and I would suggest that at the
current time it is something which cannot be repeated too many times.
Far too few software developers understand the idea of "failing safely".
Passing on "cleaned" or "de-fanged" messages is a guaranteed way of
failing catastrophically.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>
