MHonArc Security Advisory: SSI exploitation

1999-10-18 04:56:11
MHonArc Users,

I'd like repeat warnings in a message reply to the list in-case
some of you did not read it:

WARNING: Using "usename" and "usenameext" options to the
m2h_external::filter can be potential security risk.  "usename" and
"usenameext" opens up attacks by exploiting server-side includes
(SSIs).  I.e. Data can specify a filename with a ".shtml" extension,
and if SSI is enabled, the data can specify SSIs that could exploit
your site.

WARNING: it is HIGHLY ADVISABLE to not have SSIs active for
".html" files.  Currently, SSIs in HTML message data are not
removed byt the text/html filter, so someone can compromise
your site by sending an HTML message with SSI directives.

I plan to to make some modification to the text/html filter to remove
SSIs.  Also, I will evaluate what should be done in
m2h_external::filter to reduce security risk.  Some exception
processing may need to be done if m2h_external::filter is used to
handle HTML data: which also have JavaScript/applet issues along with
SSI issues.  Note, m2h_text_html::filter already removes
JavaScript/applet data from HTML parts.

Until MHonArc is modified, it is advisable to check your HTTP server
settings with respect to SSIs and to check your MHonArc resource
settings to see if there are potential exploits.


<Prev in Thread] Current Thread [Next in Thread>
  • MHonArc Security Advisory: SSI exploitation, Earl Hood <=