[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MHonArc Security Advisory: XSS vulnerability
Description:
-----------
A Cross Site Scripting (XSS) vulnerability exists for MHonArc
versions 2.5.12 and earlier. XSS can be introduced in
message headers by carefully crafted message field labels. For
example:
To: <someone@example.com>
From: <hacker@example.com>
Header<SCRIPT>hello</SCRIPT>def: whatever
Solution:
--------
Upgrade to v2.5.13.
Work-Arounds:
------------
Remove the use of '-extra-' in the FIELDORDER resource. If removed,
only the field labels given in FIELDORDER will be display on converted
message pages.
Acknowledgements:
----------------
Thanks to Steven M. Christey for discovering this problem.
---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mhonarc.org with the
message text UNSUBSCRIBE MHONARC-USERS
[Index of Archives]
[Bugtraq]
[Yosemite News]
[Mhonarc Home]