Summary
A cross-site scripting (XSS) vulnerability has been discovered for
all versions of MHonArc upto, and including, v2.5.13. A specially
crafted HTML mail message can introduce foreign scripting content
in archives, by-passing MHonArc's HTML script filtering.
Any MHonArc archives that allow HTML mail content are vulnerable.
Details:
At this time, details of the vulnerability are not being disclosed
until MHonArc users have adequate time to apply the Solutions
listed below.
No known exploits of the vulnerability has been reported.
The vulnerability was discovered by the MHonArc development team.
Solutions:
* Upgrade to v2.5.14.
* Or, disable HTML content from archives (something that is
recommended in the MHonArc FAQ for obvious security reasons).
HTML content can be disabled as follows with the following
resource settings:
<MIMEExcs>
text/html
text/x-html
</MIMEExcs>
If running versions prior to 2.4.9 that does not support
MIMEEXCS, then you can do the following:
<MIMEFilters>
text/html; m2h_text_plain::filter; mhtxtplain.pl
text/x-html; m2h_text_plain::filter; mhtxtplain.pl
</MIMEFilters>
Which causes all HTML data to be treated like text/plain data.
This can be done for later versions also if you do not want
to exclude HTML messages entirely.
Versions Affected:
All versions upto, and including, v2.5.13.
Development snapshots dated 2002-12-21 and earlier.
Availability:
Homepage: <http://www.mhonarc.org/>
Releases: <http://www.mhonarc.org/release/MHonArc/tar/>
--
Earl Hood, <earl(_at_)earlhood(_dot_)com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
pgpM4zpSTClQ8.pgp
Description: PGP signature
