Re: MHonArc XSS vulnerability fixed in 2.6.3
On April 6, 2003 at 00:02, Jeff Breidenbach wrote:
> MHonArc 2.6.3 corrects another cross site scripting
> vulnerability discovered in MHonArc. A XSS demo exploit
> is publicly announced upstream, but only with a short
> blurb (as opposed to a detailed advisory)
> Unknown if this affects Debian stable (mhonarc 2.5.2-1.3).
> I've uploaded 2.6.3 with high priority to Sid.
Sorry for not contacting the debian folks about this. However,
it is likely that other XSS exploits may be discovered, and with
the questionable impact of XSS exploits (there was a discussion on
bugtraq last November about the real effects of XSS), I am not that
concerned over them and prefer to not put further strain on the
limited resources of the folks at debian and other vendors.
With the common usage model of MHonArc, it appears IMHO that XSS
exploits may have little, to no, affect. Since MHonArc is generally
used to archive mailing lists, if a malicious message is sent to the
list, subscribers will be able to see the message directly before
it hits the archive. I.e. Attacks on the archive are implicitly
announced giving opportunity for an admin to remove the offending
message before it can do damage.
The documentation/FAQ already advises about the dangers of HTML
messages, so for users serious about security, HTML in email should
already be disabled. I state in the docs that there is no guarantee
that the HTML filtering process will prevent all XSS exploits.
Now, a legitimate question is if the notice is prominate enough and
if by default, HTML mail messages should be disabled. I am definitely
welcome to suggestions on the former, and I am unsure about the latter.
BTW, I should note that there were even some unnannouced XSS
fixes in the v2.6.0 release (found doing my own code audit).
Message/external-body and text/tab-separated-values filters were
vulnerable to XSS. Since I had not received a single report about
them, I did not bother to make any special advisories about it.
With that said, if the debian folks want to receive any XSS
vulnerabilities reported, regardless of what the real impact is, I
can notify debian-security on each report and coordinate any security
patch releases with debian. I am commited to fixing exploits as
they are discovered, but I am currently not sure if it is worth the
effort to go through a complete security vulnerability procedure and
announcement each time an exploit is reported.
Earl Hood, <firstname.lastname@example.org>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>