[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MHonArc Security Advisory: XSS vulnerability with HTML messages



Summary

    A cross-site scripting (XSS) vulnerability has been discovered for
    all versions of MHonArc upto, and including, v2.5.13.  A specially
    crafted HTML mail message can introduce foreign scripting content
    in archives, by-passing MHonArc's HTML script filtering.

    Any MHonArc archives that allow HTML mail content are vulnerable.

Details:

    At this time, details of the vulnerability are not being disclosed
    until MHonArc users have adequate time to apply the Solutions
    listed below.

    No known exploits of the vulnerability has been reported.
    The vulnerability was discovered by the MHonArc development team.

Solutions:

    * Upgrade to v2.5.14.

    * Or, disable HTML content from archives (something that is
      recommended in the MHonArc FAQ for obvious security reasons).
      HTML content can be disabled as follows with the following
      resource settings:

	<MIMEExcs>
	text/html
	text/x-html
	</MIMEExcs>

      If running versions prior to 2.4.9 that does not support
      MIMEEXCS, then you can do the following:

	<MIMEFilters>
	text/html;    m2h_text_plain::filter;  mhtxtplain.pl
	text/x-html;  m2h_text_plain::filter;  mhtxtplain.pl
	</MIMEFilters>

      Which causes all HTML data to be treated like text/plain data.
      This can be done for later versions also if you do not want
      to exclude HTML messages entirely.

Versions Affected:

    All versions upto, and including, v2.5.13.
    Development snapshots dated 2002-12-21 and earlier.

Availability:

    Homepage: <http://www.mhonarc.org/>
    Releases: <http://www.mhonarc.org/release/MHonArc/tar/>

-- 
Earl Hood, <earl@earlhood.com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

Attachment: pgp00006.pgp
Description: PGP signature


[Index of Archives]     [Bugtraq]     [Yosemite News]     [Mhonarc Home]