|
Message-ID: <AANLkTik=DM41TshM+5HwZ-TGM+trZLXAj_Z2d3yP0SyV@mail.gmail.com> Date: Thu, 30 Dec 2010 11:01:35 -0800 From: Jeff Breidenbach <jeff@....org> To: Earl Hood <earl@...lhood.com> Cc: oss-security <oss-security@...ts.openwall.com>, "Steven M. Christey" <coley@...us.mitre.org>, non customers <non-customers@...ramail.com> Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Earl, http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow One of my hats is the Debian package maintainer for mhonarc. I'm tempted to disable HTML mail support by default rather than try to improve it. What do you think about the idea? What do you think about implementation? The package does not have control over the resource file, so it would probably have to be a code patch. -Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.