oss-sec mailing list archives
Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS)
From: Earl Hood <earl () earlhood com>
Date: Tue, 21 Dec 2010 15:06:38 -0600
On Tue, Dec 21, 2010 at 8:02 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:
 MHonArc, a Perl mail-to-HTML converter, failed to properly escape certain HTML sequences. A remote attacker could provide a specially-crafted email message and trick the local user to convert it into HTML format. Subsequent preview of such message might potentially execute arbitrary HTML or scripting code (XSS).
I hate HTML in mail.
But fails to do the same example for a string in the form of: <scr<body>ipt>alert("elsa");</scr<body>ipt> => <script>alert("elsa");</script> Affected versions: Issue confirmed in latest MHonArc-2.6.16 version
I should note that MHonArc documentation warns about HTML mail, and the recommendation is to disable support of it: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata With that said, do have an available patch that fixes the problem? If not, I can look into it during the holiday break to get a fix for it. Note, even if there is a fix for the case you provided, there is no 100% guarantee that there could be other data input sequences that get by the filter. Hence, those concerned about security disable the HTML filter: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow --ewh
Current thread:
- CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Jan Lieskovsky (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Earl Hood (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Raphael Geissert (Dec 22)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Jeff Breidenbach (Dec 30)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Josh Bressers (Dec 21)
- Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS) Earl Hood (Dec 21)