Debian: DSA 164-1 Severe: Mhonarc Cross Site Scripting Vulnerability
debian
September 9, 2002
When processingmaliciously crafted mails of type text/html, mhonarc, does notdeactivate all scripting parts properly.
Topics Covered
Summary
Jason Molenda and Hiromitsu Takagi found ways to exploit cross site
scripting bugs in mhonarc, a mail to HTML converter. When processing
maliciously crafted mails of type text/html, mhonarc, does not
deactivate all scripting parts properly. This is fixed in upstream
version 2.5.3.
If you are worried about security, it is recommended that you disable
support of text/html messages in your mail archives. There is no
guarantee that the mhtxthtml.pl library is robust enough to eliminate
all possible exploits that can occur with HTML data.
To exclude HTML data, you can use the MIMEEXCS resource. For example:
text/html
text/x-html
The use of "text/x-html" is probably not used any more, but is good to
include it, just-in-case.
If you are concerend that this could block out the entire contents of
some messages, then you could do the following instead:
text/html; m2h_text_plain::filter; mhtxtplain.pl
text/x-html; m2h_text_plain::filter; mhtxtplain.pl
This treats the HTML as text/plain.
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: mhonarc
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!