Security

Cross site scripting in HTML filter

Date:

2007-05-09

Description:

There's an ongoing battle to further secure the HTML filter against malicious HTML mail and the browsers that accept almost any malformed piece of HTML.

This release contains fixes for the following:
- HTML attachments containing "data:" URLs;
- Internet Explorer in various versions accepts many permutations of HTML
and JavaScript in many charsets. We now properly canonicalize the incoming
HTML to us-ascii before applying further filters. IE only.
- Request forgery through images. It was possible to include "images" in
HTML mails which were in fact GET requests for the compose.php page sending
mail. These images are now properly detected, and the compose form will only
send mail through a POST request.

Affected Versions:

1.4.0-1.4.9a

Register Globals:

Register_globals does not have to be on for this issue.

CVE ID(s):

CVE-2007-1262
CVE-2007-2589

Patch:

view patch

Credits:

Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved.

This page last updated:

2007-08-16 00:39:13