Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Dec 2010 15:06:38 -0600
From: Earl Hood <earl@...lhood.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>, non customers <non-customers@...ramail.com>, 
	Jeff Breidenbach <jeff@....org>
Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML
 sequences (XSS)

On Tue, Dec 21, 2010 at 8:02 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:
>  MHonArc, a Perl mail-to-HTML converter, failed to
> properly escape certain HTML sequences. A remote
> attacker could provide a specially-crafted email
> message and trick the local user to convert it
> into HTML format. Subsequent preview of such
> message might potentially execute arbitrary HTML
> or scripting code (XSS).

I hate HTML in mail.

> But fails to do the same example for a string in the form of:
>
> <scr<body>ipt>alert("elsa");</scr<body>ipt> =>
> <script>alert("elsa");</script>
>
> Affected versions: Issue confirmed in latest MHonArc-2.6.16 version

I should note that MHonArc documentation warns about HTML mail,
and the recommendation is to disable support of it:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata

With that said, do have an available patch that fixes
the problem?

If not, I can look into it during the holiday break to
get a fix for it.  Note, even if there is a fix for the
case you provided, there is no 100% guarantee that there
could be other data input sequences that get by the filter.
Hence, those concerned about security disable the
HTML filter:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

--ewh

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ