From: Franklin DeMatto (franklin.lists@qdefense.com)
Date: Mon Nov 12 2001 - 10:33:30 CST
I'm curious as to whether the following issues have been looked into:
Can a user sneak nasty HTML into a message? Using <PRE> does not suffice,
as an evil user can close it with </PRE>. Ideally, there should be a
setting to convert any < and > into < and > , so that no evil HTML
can get in. The entire message would need to be scanned. Of course, this
would only work for text/plain, not text/html.
Has hypermail been audited for other security issues? Buffer overflows,
and creation of local files with evil names (such as unwanted extensions)
or properties (such as double dots in paths or x-bit on) come to mind.
Franklin DeMatto
Senior Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible