eDecoder - Header Decoding

hsar

New member
Great plugin, very useful for both quick tests on emails and extracting attachments they may contain.

Happned to notice something though, that should be an easy fix - not sure if it is according to the rfc or not, as I observed it on (multiple as it turned out) mails that contained malware.
The entire, as opossed to just the filename, content-disposition header of such messages was mime-encoded, resulting in edecoder failing to read the filename properly.

E.g, opening with 7z an email containing the following header:
Content-Disposition: =?utf-8?q?attachment=3B_filename=3D=22EARTH_SUMMT?=
=?utf-8?b?4oCTTUFSMjEtVjAxVkMuY2FiIg==?=
will display the filename of the specific attachment as 'Message', instead of the actual .cab name that was included in the malicious mail.

As by being able to see the filename (its attachment, rather), you'd have a good clue on what to not attempt to open, it would be great if you would modify the code so that it decodes the entire header before attempting to parse it.

Additionally -new here, so don't know if mentioned before- I happened to notice that several winmail.dat/tnef attachments failed to open.
Besides the two issues above, everything seems very smooth so far. Really useful..
 

Dec

Administrator
Staff member
E.g, opening with 7z an email containing the following header:
Content-Disposition: =?utf-8?q?attachment=3B_filename=3D=22EARTH_SUMMT?=
=?utf-8?b?4oCTTUFSMjEtVjAxVkMuY2FiIg==?=
will display the filename of the specific attachment as 'Message', instead of the actual .cab name that was included in the malicious mail.

several winmail.dat/tnef attachments failed to open

Could you provide samples of such eml files?
 
Top