Bug 664718 (CVE-2010-4524)

Summary: CVE-2010-4524 MHonArc: Improper escaping of certain HTML sequences (XSS)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jamatos, tremble, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 664730, 928096    
Bug Blocks:    
Attachments:
Description Flags
Patch proposal by Raphael Geissert of Debian none

Description Jan Lieskovsky 2010-12-21 13:13:16 UTC 
MHonArc, a Perl mail-to-HTML converter, failed to
properly escape certain HTML sequences. A remote
attacker could provide a specially-crafted email
message and trick the local user to convert it
into HTML format. Subsequent preview of such
message might potentially execute arbitrary HTML
or scripting code (XSS).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607693

Public PoC:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=elsatest.mbox;att=1;bug=607693

Further issue note:
-------------------
MHonArc properly escapes for example:

<script>alert("elsa");</script> =>

&lt;script&gt;alert(&quot;elsa&quot;);&lt;/script&gt;

But fails to do the same example for a string in the form of:

<scr<body>ipt>alert("elsa");</scr<body>ipt> =>

<script>alert("elsa");</script>
Comment 1 Jan Lieskovsky 2010-12-21 13:55:42 UTC 
This issue affects the versions of the mhonarc package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the mhonarc package, as present
within EPEL-5 and EPEL-6 repositories.

Please schedule an update once patch for the issue known.
Comment 2 Jan Lieskovsky 2010-12-21 14:05:15 UTC 
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/21/4
Comment 3 Jan Lieskovsky 2010-12-21 14:06:37 UTC 
Created mhonarc tracking bugs for this issue

Affects: fedora-all [bug 664730]
Comment 4 Jan Lieskovsky 2010-12-22 09:48:53 UTC 
The CVE identifier of CVE-2010-4524 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2010/12/22/4
Comment 5 Jan Lieskovsky 2010-12-22 17:14:44 UTC 
Created attachment 470267 [details]
Patch proposal by Raphael Geissert of Debian

And relevant comment regarding it:
----------------------------------

Attached patch is a quick way to fix it. It increases the processing
time (it has to run filter() at least twice per message,) but ensures
that no undesired html is returned (unless one of the existing routines
misses something.)

What do you think about it?

Note: 
-----
This patch needs blessing from upstream (Earl Hood) yet.
Comment 6 Vincent Danen 2011-01-04 16:43:27 UTC 
Upstream has committed a fix for this, so any snapshot release dated 2010-12-30 or later has the fix:

http://www.mhonarc.org/release/MHonArc/dist/

and the following is the upstream bug:

http://savannah.nongnu.org/bugs/?32013

Also note that upstream has noted that the FAQ discusses the risks of HTML mail and how to disable it in mhonarc archives:

http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow
Comment 7 Vincent Danen 2011-01-04 16:44:27 UTC 
Also note the upstream fix:

http://www.mhonarc.org/cgi-bin/viewcvs.cgi/mhonarc/MHonArc/lib/mhtxthtml.pl.diff?r2=2.40&r1=2.39&diff_format=u
Comment 8 Vincent Danen 2013-03-26 21:23:41 UTC 
Created mhonarc tracking bugs for this issue

Affects: epel-all [bug 928096]
Comment 9 Vincent Danen 2013-03-26 21:24:45 UTC 
Current Fedora has the fixed 2.6.18 version, but current EPEL still ships the vulnerable 2.6.16 version.