MHonArc scripting tag filtering can be bypassed

mhonarc-script-filtering-bypass (8894) The risk level is classified as MediumMedium Risk

Description:

MHonArc could allow a remote attacker to inject malicious script into an archive. A remote attacker could create an HTML email message that contains specially-crafted scripting tags, which would bypass MHonArc's scripting tag filtering mechanism and allow the message to be stored in the archive.


Consequences:

Bypass Security

Remedy:

Upgrade to the latest version of MHonArc (2.5.3 or later), available from the MHonArc Web page. See References.

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest mhonarc package (2.4.4-1.1 or later) available from the DSA-163-1. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest mhonarc package (2.5.2-1.1 or later) available from the DSA-163-1. See References.

References:

  • BugTraq Mailing List, Thu Apr 18 2002 - 16:53:54 CDT: MHonArc v2.5.2 Script Filtering Bypass Vulnerability.
  • MHonArc Web site: Change History for MHonArc. (Vendor states "Beefed up HTML filtering in mhtxthtml.pl to eliminate some security exploits")
  • MHonArc Web site: MHonArc.
  • BID-4546: MHonArc HTML Script Filter Bypass Vulnerability
  • CVE-2002-0738: MHonArc 2.5.2 and earlier does not properly filter Javascript from archived e-mail messages, which could allow remote attackers to execute script in web clients by (1) splitting the SCRIPT tag into smaller pieces, (2) including the script in a SRC argument to an IMG tag, or (3) using &={script} syntax.
  • DSA-163: mhonarc -- cross site scripting
  • OSVDB ID: 5121: MHonArc mhtxthtml.pl Javascript Filter Bypass

Platforms Affected:

  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • Earl Hood MHonArc 2.5.2

Reported:

Apr 18, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page