Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D10B36F.3010205@redhat.com>
Date: Tue, 21 Dec 2010 15:02:23 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Earl Hood <earl@...lhood.com>,
        "non customers" <non-customers@...ramail.com>
Subject: CVE Request -- MHonArc: Improper escaping of certain HTML sequences
 (XSS)

Hello Steve, vendors,

   MHonArc, a Perl mail-to-HTML converter, failed to
properly escape certain HTML sequences. A remote
attacker could provide a specially-crafted email
message and trick the local user to convert it
into HTML format. Subsequent preview of such
message might potentially execute arbitrary HTML
or scripting code (XSS).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607693
[2] https://bugzilla.redhat.com/show_bug.cgi?id=664718

Public PoC:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=elsatest.mbox;att=1;bug=607693

Further issue note:
-------------------
MHonArc properly escapes for example:

<script>alert("elsa");</script> =>

&lt;script&gt;alert(&quot;elsa&quot;);&lt;/script&gt;

But fails to do the same example for a string in the form of:

<scr<body>ipt>alert("elsa");</scr<body>ipt> =>

<script>alert("elsa");</script>

Affected versions: Issue confirmed in latest MHonArc-2.6.16 version

Could you allocate a CVE id for this issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.