[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential bug with image handling in MH 2.6.0?

> The problem is subtle and it appears to be an inconsistency with
> mail composer software (I guess Outlook Express in this case) and
> not with MHonArc.  Let's look at the IMG tag again:
>
>   <IMG style="WIDTH: 213px; HEIGHT: 279px" height=827 alt=""
>   -------------------^^^------------^^^   --------^^^
>        hspace=0 src="cid:002701c23ee6$1fe5cfb0$0100007f@your9hpe8b9zly";
>        width=266 align=baseline border=0>
>   -----------^^^
>
> I decode the quoted-printable text so it is more reabable.  Take
> a look at the width/height settings in the style attribute vs the
> width/height attribute values.  They are different.  By default, MHonArc
> strips out style attributes for security reasons (to prevent XSS
> exploits).  Therefore, it just leaves the width and height attributes,
> 266x827.
>
> In MHonArc 2.4, the style attribute was probably not stripped by
> default, but later versions do strip it to avoid XSS exploits.
>
> Take extreme caution if you are considering allowing scripting markup
> in your archives.  To work-around the problem and to not open up
> you archives to XSS vulnerabilities, some custom coding would need
> to be done.

Yep, I can see the inconsistency.  The problem is the user end really.  I am
trying to create a nice system so that users can email updates to their
"diary" page from their email program - most of them use Outlook Express
(their choice), and the picture appears correctly in Outlook (even though
the HTML is actually screwy).

I really need to think about how to let them keep the functionality, because
to a large extent they don't/needn't care about Outlook bugs...  I wonder if
most browsers would display this correctly if I completely removed the
erroneous "height" tag and just left the width tag?

Also, apologies for my ignorance, but what sort of XSS vulnerabilities do I
expose myself to if there is a password protected update mechanism.  Is the
risk that a particular user could upload something nasty for when another
user views it?

Also, is it easy for me to modify the code to allow limited style tags to be
available?  Can you point me to the relevant lines please?  (Perhaps I could
use a regexp to allow only style tags with height and width attributes?)

Thanks again

Ed

---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mhonarc.org with the
message text UNSUBSCRIBE MHONARC-USERS
[Index of Archives]     [Bugtraq]     [Yosemite News]     [Mhonarc Home]