The Apache group issued a security bulletin yesterday
describing Cross Site Scripting security issues, and I wondered
if MHonarc has any mechanisms to handle potentially malicious html code
embedded in mail messages.
For text/html data, the mhtxthtml.pl filter is used. By default, it
attempts to remove any scripting data from the HTML during conversion
(in the latest releases of MHonArc). I just looked at again, and the
following HTML components are not removed (but they should be):
EMBED
OBJECT
FORM (and form-related elements)
META (only if not put in a HEAD)
I'll add the stripping of these. Note, mhtxthtml.pl does remove
scripting based attributes like onChange, onMouseOver, et. al.
If you are not familiar with the term "Cross Site Scripting",
here are some pointers:
http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html
We are running MHonarc 2.2, in case that is relevant.
This security issue has been raised before. If you do not want
to upgrade to the latest release, you can use the latest mhtxthtml.pl
and the stripping of the above listed items if you need a solution
immediately and cannot wait for the next release.
To be ultra safe, you could use the mhnull.pl filter for text/html
data. Or use a filter that returns the empty string (just modify
mhnull.pl to return "") so if text/html is within a
multipart/alternative, mhonarc will fallback to the lesser
content-type.
--ewh
