mhonarc-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

MHonArc Security Advisory: XSS vulnerability

2002-10-21 12:13:31
from [Earl Hood] [Permanent Link] 
Description:
-----------
  A Cross Site Scripting (XSS) vulnerability exists for MHonArc
  versions 2.5.12 and earlier.  XSS can be introduced in
  message headers by carefully crafted message field labels.  For
  example:

      To: <someone(_at_)example(_dot_)com>
      From: <hacker(_at_)example(_dot_)com>
      Header<SCRIPT>hello</SCRIPT>def: whatever

Solution:
--------
  Upgrade to v2.5.13.

Work-Arounds:
------------
  Remove the use of '-extra-' in the FIELDORDER resource.  If removed,
  only the field labels given in FIELDORDER will be display on converted
  message pages.

Acknowledgements:
----------------
  Thanks to Steven M. Christey for discovering this problem.

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-USERS
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • MHonArc Security Advisory: XSS vulnerability, Earl Hood <=
Previous by Date:  Re: Preserving attachment file names, Earl Hood
Next by Date:  MHonArc Release: 2.5.13, Earl Hood
Previous by Thread:  Preserving attachment file names, Arlen Walker
Next by Thread:  MHonArc Release: 2.5.13, Earl Hood
Indexes:  [Date] [Thread] [Top] [All Lists]