Bug 664718 (CVE-2010-4524) - CVE-2010-4524 MHonArc: Improper escaping of certain HTML sequences (XSS)
Summary: CVE-2010-4524 MHonArc: Improper escaping of certain HTML sequences (XSS)
Keywords:
Status: ASSIGNED
Alias: CVE-2010-4524
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 664730 928096
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-21 13:13 UTC by Jan Lieskovsky
Modified: 2023-07-07 08:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)
Patch proposal by Raphael Geissert of Debian (709 bytes, patch)
2010-12-22 17:14 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2010-12-21 13:13:16 UTC
MHonArc, a Perl mail-to-HTML converter, failed to
properly escape certain HTML sequences. A remote
attacker could provide a specially-crafted email
message and trick the local user to convert it
into HTML format. Subsequent preview of such
message might potentially execute arbitrary HTML
or scripting code (XSS).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607693

Public PoC:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=elsatest.mbox;att=1;bug=607693

Further issue note:
-------------------
MHonArc properly escapes for example:

<script>alert("elsa");</script> =>

&lt;script&gt;alert(&quot;elsa&quot;);&lt;/script&gt;

But fails to do the same example for a string in the form of:

<scr<body>ipt>alert("elsa");</scr<body>ipt> =>

<script>alert("elsa");</script>

Comment 1 Jan Lieskovsky 2010-12-21 13:55:42 UTC
This issue affects the versions of the mhonarc package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the mhonarc package, as present
within EPEL-5 and EPEL-6 repositories.

Please schedule an update once patch for the issue known.

Comment 2 Jan Lieskovsky 2010-12-21 14:05:15 UTC
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/21/4

Comment 3 Jan Lieskovsky 2010-12-21 14:06:37 UTC
Created mhonarc tracking bugs for this issue

Affects: fedora-all [bug 664730]

Comment 4 Jan Lieskovsky 2010-12-22 09:48:53 UTC
The CVE identifier of CVE-2010-4524 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2010/12/22/4

Comment 5 Jan Lieskovsky 2010-12-22 17:14:44 UTC
Created attachment 470267 [details]
Patch proposal by Raphael Geissert of Debian

And relevant comment regarding it:
----------------------------------

Attached patch is a quick way to fix it. It increases the processing
time (it has to run filter() at least twice per message,) but ensures
that no undesired html is returned (unless one of the existing routines
misses something.)

What do you think about it?

Note: 
-----
This patch needs blessing from upstream (Earl Hood) yet.

Comment 6 Vincent Danen 2011-01-04 16:43:27 UTC
Upstream has committed a fix for this, so any snapshot release dated 2010-12-30 or later has the fix:

http://www.mhonarc.org/release/MHonArc/dist/

and the following is the upstream bug:

http://savannah.nongnu.org/bugs/?32013

Also note that upstream has noted that the FAQ discusses the risks of HTML mail and how to disable it in mhonarc archives:

http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

Comment 8 Vincent Danen 2013-03-26 21:23:41 UTC
Created mhonarc tracking bugs for this issue

Affects: epel-all [bug 928096]

Comment 9 Vincent Danen 2013-03-26 21:24:45 UTC
Current Fedora has the fixed 2.6.18 version, but current EPEL still ships the vulnerable 2.6.16 version.


Note You need to log in before you can comment on or make changes to this bug.