On April 6, 2003 at 00:02, Jeff Breidenbach wrote: > MHonArc 2.6.3 corrects another cross site scripting > vulnerability discovered in MHonArc. A XSS demo exploit > is publicly announced upstream, but only with a short > blurb (as opposed to a detailed advisory) > > http://www.mhonarc.org/ > http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=3128&group_id=1968 > > Unknown if this affects Debian stable (mhonarc 2.5.2-1.3). > I've uploaded 2.6.3 with high priority to Sid.
Sorry for not contacting the debian folks about this. However, it is likely that other XSS exploits may be discovered, and with the questionable impact of XSS exploits (there was a discussion on bugtraq last November about the real effects of XSS), I am not that concerned over them and prefer to not put further strain on the limited resources of the folks at debian and other vendors. With the common usage model of MHonArc, it appears IMHO that XSS exploits may have little, to no, affect. Since MHonArc is generally used to archive mailing lists, if a malicious message is sent to the list, subscribers will be able to see the message directly before it hits the archive. I.e. Attacks on the archive are implicitly announced giving opportunity for an admin to remove the offending message before it can do damage. The documentation/FAQ already advises about the dangers of HTML messages, so for users serious about security, HTML in email should already be disabled. I state in the docs that there is no guarantee that the HTML filtering process will prevent all XSS exploits. Now, a legitimate question is if the notice is prominate enough and if by default, HTML mail messages should be disabled. I am definitely welcome to suggestions on the former, and I am unsure about the latter. BTW, I should note that there were even some unnannouced XSS fixes in the v2.6.0 release (found doing my own code audit). Message/external-body and text/tab-separated-values filters were vulnerable to XSS. Since I had not received a single report about them, I did not bother to make any special advisories about it. With that said, if the debian folks want to receive any XSS vulnerabilities reported, regardless of what the real impact is, I can notify debian-security on each report and coordinate any security patch releases with debian. I am commited to fixing exploits as they are discovered, but I am currently not sure if it is worth the effort to go through a complete security vulnerability procedure and announcement each time an exploit is reported. --ewh -- Earl Hood, <[EMAIL PROTECTED]> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
