oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS)

From: Earl Hood <earl () earlhood com>
Date: Tue, 21 Dec 2010 15:06:38 -0600
On Tue, Dec 21, 2010 at 8:02 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:

 MHonArc, a Perl mail-to-HTML converter, failed to
properly escape certain HTML sequences. A remote
attacker could provide a specially-crafted email
message and trick the local user to convert it
into HTML format. Subsequent preview of such
message might potentially execute arbitrary HTML
or scripting code (XSS).


I hate HTML in mail.


But fails to do the same example for a string in the form of:

<scr<body>ipt>alert("elsa");</scr<body>ipt> =>
<script>alert("elsa");</script>

Affected versions: Issue confirmed in latest MHonArc-2.6.16 version


I should note that MHonArc documentation warns about HTML mail,
and the recommendation is to disable support of it:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata

With that said, do have an available patch that fixes
the problem?

If not, I can look into it during the holiday break to
get a fix for it.  Note, even if there is a fix for the
case you provided, there is no 100% guarantee that there
could be other data input sequences that get by the filter.
Hence, those concerned about security disable the
HTML filter:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

--ewh
Previous By Date Next
Previous By Thread Next

Current thread: