[no subject]

>     * If application cannot pass invalidly encoded data to the server,
> there is no vulnerability (this probably includes all Java
> applications, for example, because of Java's handling of Unicode
> strings).

I am afraid that it is quite easy to (mis)configure exim so that it is
possible to pass invalidly encoded data.

> The easiest may be to simply always set the client encoding to
> something like UTF-8 and work the escaping rules so they work with
> that.

If that's possible, it might. We'd need to know how our input data is
encoded and recode to UTF-8, right?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835