Date: Tue, 21 Dec 2010 15:06:38 -0600 From: Earl Hood <earl@...lhood.com> To: oss-security <oss-security@...ts.openwall.com> Cc: "Steven M. Christey" <coley@...us.mitre.org>, non customers <non-customers@...ramail.com>, Jeff Breidenbach <jeff@....org> Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) On Tue, Dec 21, 2010 at 8:02 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote: > MHonArc, a Perl mail-to-HTML converter, failed to > properly escape certain HTML sequences. A remote > attacker could provide a specially-crafted email > message and trick the local user to convert it > into HTML format. Subsequent preview of such > message might potentially execute arbitrary HTML > or scripting code (XSS). I hate HTML in mail. > But fails to do the same example for a string in the form of: > > <scr<body>ipt>alert("elsa");</scr<body>ipt> => > <script>alert("elsa");</script> > > Affected versions: Issue confirmed in latest MHonArc-2.6.16 version I should note that MHonArc documentation warns about HTML mail, and the recommendation is to disable support of it: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata With that said, do have an available patch that fixes the problem? If not, I can look into it during the holiday break to get a fix for it. Note, even if there is a fix for the case you provided, there is no 100% guarantee that there could be other data input sequences that get by the filter. Hence, those concerned about security disable the HTML filter: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow --ewh
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ