Subject: mhonarc: cross-site scripting when converting HTML mails Package: mhonarc Version: 2.6.16-1 Severity: important Tags: security
MHonArc has a cross-site scripting (XSS) security issue when converting HTML
mails with malformed HTML tags of the form "<scr<body>ipt>":
$ mhonarc elsatest.mbox
This is MHonArc v2.6.16, Perl 5.010001 linux
Converting messages to .
Reading elsatest.mbox .
Writing mail .
Writing ./maillist.html ...
Writing ./threads.html ...
Writing database ...
1 new messages
1 total messages
$ cat msg00000.html
<!-- MHonArc v2.6.16 -->
<!--X-Subject: mhonarc test -->
[..]
<!--X-Body-of-Message-->
<script>alert("elsa");</script>
<!--X-Body-of-Message-End-->
[..]
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mhonarc depends on:
ii perl 5.10.1-16 Larry Wall's Practical Extraction
Versions of packages mhonarc recommends:
ii perl [libdigest-md5-perl] 5.10.1-16 Larry Wall's Practical Extraction
mhonarc suggests no packages.
-- no debconf information
--
non-customers crew | http://rock-madrid.com/
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
elsatest.mbox
Description: Binary data
