Description:
-----------
A Cross Site Scripting (XSS) vulnerability exists for MHonArc
versions 2.5.12 and earlier. XSS can be introduced in
message headers by carefully crafted message field labels. For
example:
To: <someone(_at_)example(_dot_)com>
From: <hacker(_at_)example(_dot_)com>
Header<SCRIPT>hello</SCRIPT>def: whatever
Solution:
--------
Upgrade to v2.5.13.
Work-Arounds:
------------
Remove the use of '-extra-' in the FIELDORDER resource. If removed,
only the field labels given in FIELDORDER will be display on converted
message pages.
Acknowledgements:
----------------
Thanks to Steven M. Christey for discovering this problem.
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-USERS