oss-sec mailing list archives
Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS)
From: Raphael Geissert <geissert () debian org>
Date: Tue, 21 Dec 2010 23:27:46 -0600
Earl Hood wrote:
With that said, do have an available patch that fixes the problem? If not, I can look into it during the holiday break to get a fix for it. Note, even if there is a fix for the case you provided, there is no 100% guarantee that there could be other data input sequences that get by the filter. Hence, those concerned about security disable the HTML filter:
Attached patch is a quick way to fix it. It increases the processing time (it has to run filter() at least twice per message,) but ensures that no undesired html is returned (unless one of the existing routines misses something.) What do you think about it? Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Attachment:
mhonarc.CVE-2010-4524.patch
Description:
Current thread:
- CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Jan Lieskovsky (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Earl Hood (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Raphael Geissert (Dec 22)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Jeff Breidenbach (Dec 30)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Josh Bressers (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Earl Hood (Dec 21)