Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Dec 2010 23:27:46 -0600
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com, earl@...lhood.com, 607693@...s.debian.org
Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS)

Earl Hood wrote:
> With that said, do have an available patch that fixes
> the problem?
> 
> If not, I can look into it during the holiday break to
> get a fix for it.  Note, even if there is a fix for the
> case you provided, there is no 100% guarantee that there
> could be other data input sequences that get by the filter.
> Hence, those concerned about security disable the
> HTML filter:

Attached patch is a quick way to fix it. It increases the processing time 
(it has to run filter() at least twice per message,) but ensures that no 
undesired html is returned (unless one of the existing routines misses 
something.)

What do you think about it?

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

diff -urpN mhonarc-2.6.16-1.orig/lib/mhtxthtml.pl mhonarc-2.6.16-1/lib/mhtxthtml.pl
--- mhonarc-2.6.16-1.orig/lib/mhtxthtml.pl	2005-05-01 19:04:39.000000000 -0500
+++ mhonarc-2.6.16-1/lib/mhtxthtml.pl	2010-12-21 21:09:52.000000000 -0600
@@ -125,6 +125,7 @@ sub filter {
     }
 
     local(@...es) = ();	# XXX: Used by resolve_cid!!!
+    my $orig_data = $$data;
     my $base 	 = '';
     my $title	 = '';
     my $noscript = 1;
@@ -352,6 +353,10 @@ sub filter {
     ## <http://www.google.com/googleblog/2005/01/preventing-comment-spam.html>
     $$data =~ s/(<a\b)/$1 rel="nofollow"/gi;
 
+    if ($$data ne $orig_data) {
+	undef $orig_data;
+	return filter(@...
+    }
     ($title.$$data, @files);
 }
 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ