Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Dec 2010 15:06:38 -0600
From: Earl Hood <>
To: oss-security <>
Cc: "Steven M. Christey" <>, non customers <>, 
	Jeff Breidenbach <>
Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML
 sequences (XSS)

On Tue, Dec 21, 2010 at 8:02 AM, Jan Lieskovsky <> wrote:
>  MHonArc, a Perl mail-to-HTML converter, failed to
> properly escape certain HTML sequences. A remote
> attacker could provide a specially-crafted email
> message and trick the local user to convert it
> into HTML format. Subsequent preview of such
> message might potentially execute arbitrary HTML
> or scripting code (XSS).

I hate HTML in mail.

> But fails to do the same example for a string in the form of:
> <scr<body>ipt>alert("elsa");</scr<body>ipt> =>
> <script>alert("elsa");</script>
> Affected versions: Issue confirmed in latest MHonArc-2.6.16 version

I should note that MHonArc documentation warns about HTML mail,
and the recommendation is to disable support of it:

With that said, do have an available patch that fixes
the problem?

If not, I can look into it during the holiday break to
get a fix for it.  Note, even if there is a fix for the
case you provided, there is no 100% guarantee that there
could be other data input sequences that get by the filter.
Hence, those concerned about security disable the
HTML filter:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ