This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 664718 - (CVE-2010-4524) CVE-2010-4524 MHonArc: Improper escaping of certain HTML sequences (XSS)
CVE-2010-4524 MHonArc: Improper escaping of certain HTML sequences (XSS)
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20101221,repor...
: Security
Depends On: 664730 928096
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-21 08:13 EST by Jan Lieskovsky
Modified: 2016-03-04 07:48 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch proposal by Raphael Geissert of Debian (709 bytes, patch)
2010-12-22 12:14 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-21 08:13:16 EST
MHonArc, a Perl mail-to-HTML converter, failed to
properly escape certain HTML sequences. A remote
attacker could provide a specially-crafted email
message and trick the local user to convert it
into HTML format. Subsequent preview of such
message might potentially execute arbitrary HTML
or scripting code (XSS).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607693

Public PoC:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=elsatest.mbox;att=1;bug=607693

Further issue note:
-------------------
MHonArc properly escapes for example:

<script>alert("elsa");</script> =>

&lt;script&gt;alert(&quot;elsa&quot;);&lt;/script&gt;

But fails to do the same example for a string in the form of:

<scr<body>ipt>alert("elsa");</scr<body>ipt> =>

<script>alert("elsa");</script>
Comment 1 Jan Lieskovsky 2010-12-21 08:55:42 EST
This issue affects the versions of the mhonarc package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the mhonarc package, as present
within EPEL-5 and EPEL-6 repositories.

Please schedule an update once patch for the issue known.
Comment 2 Jan Lieskovsky 2010-12-21 09:05:15 EST
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/21/4
Comment 3 Jan Lieskovsky 2010-12-21 09:06:37 EST
Created mhonarc tracking bugs for this issue

Affects: fedora-all [bug 664730]
Comment 4 Jan Lieskovsky 2010-12-22 04:48:53 EST
The CVE identifier of CVE-2010-4524 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2010/12/22/4
Comment 5 Jan Lieskovsky 2010-12-22 12:14:44 EST
Created attachment 470267 [details]
Patch proposal by Raphael Geissert of Debian

And relevant comment regarding it:
----------------------------------

Attached patch is a quick way to fix it. It increases the processing
time (it has to run filter() at least twice per message,) but ensures
that no undesired html is returned (unless one of the existing routines
misses something.)

What do you think about it?

Note: 
-----
This patch needs blessing from upstream (Earl Hood) yet.
Comment 6 Vincent Danen 2011-01-04 11:43:27 EST
Upstream has committed a fix for this, so any snapshot release dated 2010-12-30 or later has the fix:

http://www.mhonarc.org/release/MHonArc/dist/

and the following is the upstream bug:

http://savannah.nongnu.org/bugs/?32013

Also note that upstream has noted that the FAQ discusses the risks of HTML mail and how to disable it in mhonarc archives:

http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow
Comment 8 Vincent Danen 2013-03-26 17:23:41 EDT
Created mhonarc tracking bugs for this issue

Affects: epel-all [bug 928096]
Comment 9 Vincent Danen 2013-03-26 17:24:45 EDT
Current Fedora has the fixed 2.6.18 version, but current EPEL still ships the vulnerable 2.6.16 version.

Note You need to log in before you can comment on or make changes to this bug.