Summary A cross-site scripting (XSS) vulnerability has been discovered for all versions of MHonArc upto, and including, v2.5.13. A specially crafted HTML mail message can introduce foreign scripting content in archives, by-passing MHonArc's HTML script filtering. Any MHonArc archives that allow HTML mail content are vulnerable. Details: At this time, details of the vulnerability are not being disclosed until MHonArc users have adequate time to apply the Solutions listed below. No known exploits of the vulnerability has been reported. The vulnerability was discovered by the MHonArc development team. Solutions: * Upgrade to v2.5.14. * Or, disable HTML content from archives (something that is recommended in the MHonArc FAQ for obvious security reasons). HTML content can be disabled as follows with the following resource settings: <MIMEExcs> text/html text/x-html </MIMEExcs> If running versions prior to 2.4.9 that does not support MIMEEXCS, then you can do the following: <MIMEFilters> text/html; m2h_text_plain::filter; mhtxtplain.pl text/x-html; m2h_text_plain::filter; mhtxtplain.pl </MIMEFilters> Which causes all HTML data to be treated like text/plain data. This can be done for later versions also if you do not want to exclude HTML messages entirely. Versions Affected: All versions upto, and including, v2.5.13. Development snapshots dated 2002-12-21 and earlier. Availability: Homepage: <http://www.mhonarc.org/> Releases: <http://www.mhonarc.org/release/MHonArc/tar/> -- Earl Hood, <earl@earlhood.com> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
Attachment:
pgp00006.pgp
Description: PGP signature