mhonarc-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is MHonArc 2.2.0 (-single) vulberable to HotMail "bug?"

1998-08-28 12:57:46
from [Earl Hood] [Permanent Link] 
On August 28, 1998 at 09:30, Frank Wancho wrote:


      To clarify, when mhonarc -single is called from within a
      webmail-like interface, it is vulnerable to the so-called
      *HOT* Mail "bug?"  If so, will there be a fix similar to the
      heavy filtering HotMail developed for their environment?



See the summary at http://www.news.com/News/Item/0,4,25792,00.html

The specifics are at http://www.because-we-can.com/hotmail/default.htm


Since it has to do with HTML data, any modification to deal with the
potential security problem would be addressed in the text/html filter
(mhtxthtml.pl).  Note, the security problem is related to how MHonArc
is used.  Most users will not have the problem since MHonArc is not used
for functions similiar to Hotmail, Yahoo Mail, etc.  However, the
sender of the message can still cause an annoyance by embedding
JavaScript in message that gets invoked when the message is accessed
in the archive.  I guess things like taking the user elsewhere or
popping up windows with data from other sites can be done if the
user is using a JavaScript-enabled browser.

I'll be happy to include a contributed text/html filter to deal with
JavaScript and Java.  Since JavaScript can be embedded in all kinds of
locations in an HTML document, it would take some work to write a
proper filter.  Maybe the MHonArc users that use JavaScript can
contribute something.  You might have noticed that I have little
incentive to do something myself immediately.

If someone wants to be extra cautious and avoid any JavaScript/Java
data to conflict with their web site, and cannot wait for a new
text/html filter to popup, s/he can just register the text/plain filter
(mhtxtplain.pl) to handle text/html data.  Or use a null filter to
exclude any HTML data.  This should be acceptable for most users
that use MHonArc on mailing lists since HTML messages are normally
frowned upon in such environments.

        --ewh

----
             Earl Hood              | University of California: Irvine
      ehood(_at_)medusa(_dot_)acs(_dot_)uci(_dot_)edu      |      Electronic 
Loiterer
http://www.oac.uci.edu/indiv/ehood/ | Dabbler of SGML/WWW/Perl/MIME
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MHonArc's <!--X --> fields at top of message, Matthew Andersen
Next by Date:  Re: MHonArc's <!--X --> fields at top of message, Earl Hood
Previous by Thread:  Re: Is MHonArc 2.2.0 (-single) vulberable to HotMail "bug?", Frank Wancho
Next by Thread:  Testing for permissions?, Christopher Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]