Security

Possible XSS in MagicHTML (IE only)

Date:

2006-02-10

Description:

The MagicHTML filter for incoming HTML email did not correctly disregard comments (/* */) inserted in style sheets ("u/* */rl"). It also accepted "u\rl" as "url" in styles. These allow a malicious user to break the privacy of the user by having them request an item from a remote site when reading the mail. This happens only in browsers that parse this invalid style, only one known is Internet Explorer.

Affected Versions:

<= 1.4.5

Register Globals:

Register_globals does not have to be on for this issue.

CVE ID(s):

CVE-2006-0195

Patch:

view patch

Credits:

These issues were discovered by Martijn Brinkers and Scott Hughes.

This page last updated:

2007-07-03 12:59:23