MHonArc, a Perl mail-to-HTML converter, failed to properly escape certain HTML sequences. A remote attacker could provide a specially-crafted email message and trick the local user to convert it into HTML format. Subsequent preview of such message might potentially execute arbitrary HTML or scripting code (XSS). References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607693 Public PoC: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=elsatest.mbox;att=1;bug=607693 Further issue note: ------------------- MHonArc properly escapes for example: <script>alert("elsa");</script> => <script>alert("elsa");</script> But fails to do the same example for a string in the form of: <scr<body>ipt>alert("elsa");</scr<body>ipt> => <script>alert("elsa");</script>
This issue affects the versions of the mhonarc package, as shipped with Fedora release of 13 and 14. This issue affects the versions of the mhonarc package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update once patch for the issue known.
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/21/4
Created mhonarc tracking bugs for this issue Affects: fedora-all [bug 664730]
The CVE identifier of CVE-2010-4524 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/12/22/4
Created attachment 470267 [details] Patch proposal by Raphael Geissert of Debian And relevant comment regarding it: ---------------------------------- Attached patch is a quick way to fix it. It increases the processing time (it has to run filter() at least twice per message,) but ensures that no undesired html is returned (unless one of the existing routines misses something.) What do you think about it? Note: ----- This patch needs blessing from upstream (Earl Hood) yet.
Upstream has committed a fix for this, so any snapshot release dated 2010-12-30 or later has the fix: http://www.mhonarc.org/release/MHonArc/dist/ and the following is the upstream bug: http://savannah.nongnu.org/bugs/?32013 Also note that upstream has noted that the FAQ discusses the risks of HTML mail and how to disable it in mhonarc archives: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow
Also note the upstream fix: http://www.mhonarc.org/cgi-bin/viewcvs.cgi/mhonarc/MHonArc/lib/mhtxthtml.pl.diff?r2=2.40&r1=2.39&diff_format=u
Created mhonarc tracking bugs for this issue Affects: epel-all [bug 928096]
Current Fedora has the fixed 2.6.18 version, but current EPEL still ships the vulnerable 2.6.16 version.