Update of /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq
In directory subversions:/tmp/cvs-serv3621
Modified Files:
faq.html security.html
Log Message:
+ Added:
. Who do I contact if I find a vulnerability with MHonArc?
. Is it okay to run mhonarc setuid?
* Updated existing questions.
Index: faq.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/faq.html,v
retrieving revision 1.25
retrieving revision 1.26
diff -C2 -r1.25 -r1.26
*** faq.html 20 Jul 2002 00:48:48 -0000 1.25
--- faq.html 14 Nov 2002 02:55:35 -0000 1.26
***************
*** 159,166 ****
--- 159,168 ----
<li><a name="security" href="security.html">Security</a>
<ul>
+ <li><a name="contact" href="security.html#contact">Who do I contact if I find a vulnerability with MHonArc?</a></li>
<li><a name="spam" href="security.html#spam">Can I obscure email addresses?</a></li>
<li><a name="spam" href="security.html#spam">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
<li><a name="htmldata" href="security.html#htmldata">Why are HTML messages a security risk?</a></li>
<li><a name="attachments" href="security.html#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
+ <li><a name="suid" href="security.html#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
</ul>
</ul>
Index: security.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/security.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** security.html 2 Apr 2002 06:57:57 -0000 1.1
--- security.html 14 Nov 2002 02:55:35 -0000 1.2
***************
*** 17,24 ****
--- 17,26 ----
<!--X-TOC-Start-->
<ul>
+ <li><a href="#contact">Who do I contact if I find a vulnerability with MHonArc?</a></li>
<li><a href="#spam">Can I obscure email addresses?</a></li>
<li><a href="#spam">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
<li><a href="#htmldata">Why are HTML messages a security risk?</a></li>
<li><a href="#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
+ <li><a href="#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
</ul>
<!--X-TOC-End-->
***************
*** 28,31 ****
--- 30,70 ----
<table border=0>
<tr valign=top><td><img src="monicon.png" align="bottom" alt=""></td><td>
+ <h3><b><a name="contact">Who do I contact if I find a vulnerability with MHonArc?</a></b></h3>
+ </td></tr></table>
+
+ <p>You can do one of the following:
+ </p>
+ <ul>
+ <li><p>You can submit a report at
+ <a href="http://savannah.nongnu.org/bugs/?func=addbug&group=mhonarc";
+ ><https://savannah.nongnu.org/bugs/?func=addbug&group=mhonarc></a>.
+ Make sure to fill out all required information, and for the
+ <b>Bug Group</b> form item, select <em>Security</em>.
+ </p>
+ <p><strong>Note:</strong> All reports submitted for MHonArc via savannah
+ are automatically mailed to the
+ <a href="mailto:mhonarc-dev(_at_)mhonarc(_dot_)org">mhonarc-dev(_at_)mhonarc(_dot_)org</a>
+ list, which is archived at
+ <a href="http://www.mhonarc.org/archive/html/";
+ ><http://www.mhonarc.org/archive/html/></a>.
+ </p>
+ </li>
+ <li><p>Or, you can send a mail message to
+ <a href="mailto:mhonarc(_at_)mhonarc(_dot_)org?subject=Security%20Vulnerability"
+ >mhonarc(_at_)mhonarc(_dot_)org</a>. This address goes directly to the author(s) of
+ MHonArc, and is <strong>not</strong> archived on any public site.
+ </p></li>
+ </ul>
+
+ <p>Please indicate if it is okay to mention your name in any resulting
+ advisories or patches that may result from your report. If you do
+ not make any indications, all attempts will be made to keep your identity
+ confidential.
+ </p>
+
+ <!-- ??????????????????????????????????????????????????????????????? -->
+ <hr noshade size=1>
+ <table border=0>
+ <tr valign=top><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="spam">Can I obscure email addresses?</a></b></h3>
</td></tr></table>
***************
*** 69,72 ****
--- 108,117 ----
</p>
+ <p>An alternative to a web server-based solution, you can use the
+ <b>DBFILE</b> resource to place the database file in a non-web server
+ accessible location by specifying a full pathname of the database file
+ to use. <strong>Note:</strong> Using a full pathname for DBFILE is
+ supported only in v2.5.13, or later. </p>
+
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
***************
*** 87,90 ****
--- 132,140 ----
</p>
+ <p>These types of attacks are classified as <em>Cross-Site
+ Scripting</em> (XSS) attacks by the security community. The common
+ goal for XSS attacks is to obtain private information of a user,
+ like browser cookies used for site authentication. </p>
+
<p>The following is a brief list of some of the security issues
related to HTML messages:
***************
*** 102,111 ****
</ul>
! <p>MHonArc's HTML filter (documented under the <b>MIMEFILTERS</b>) resource
! provides functionality of stripping out HTML data to minimize security
! exploits. Check the document for full details. The general recommendation
! for the security conscience is to exclude any HTML message data, especially
! for publicly accessible archives.
! </p>
<!-- ??????????????????????????????????????????????????????????????? -->
--- 152,161 ----
</ul>
! <p>MHonArc's HTML filter (documented under the <b>MIMEFILTERS</b>)
! resource provides functionality of stripping out HTML data to
! minimize security exploits. Check the document for full details.
! The general recommendation for the security conscience is to exclude
! any HTML message data via the <b>MIMEEXCS</b> resource, especially
! for publicly accessible archives. </p>
<!-- ??????????????????????????????????????????????????????????????? -->
***************
*** 139,142 ****
--- 189,206 ----
resource advises caution when using the filter options that enable
the usage of attachment filenames or filename extensions.
+ </p>
+
+ <!-- ??????????????????????????????????????????????????????????????? -->
+ <hr noshade size=1>
+ <table border=0>
+ <tr valign=top><td><img src="monicon.png" align="bottom" alt=""></td><td>
+ <h3><b><a name="suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></b></h3>
+ </td></tr></table>
+
+ <p><strong>NO!</strong> It is not okay. First, MHonArc does
+ not pass Perl's taint checks. Second, MHonArc is vulnerable to
+ symlink attacks. Hence, if <tt>mhonarc</tt> (or any of the utility
+ programs) is setuid, <tt>mhonarc</tt> can be used for local priviledge
+ escalation attacks.
</p>
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV