<HTML>
<HEAD>
<TITLE>MHonArc FAQ: Security</TITLE></HEAD>
<link rel="stylesheet" type="text/css" href="../docstyles.css">
<BODY>
<!--X-NavButtons-Start-->
<table width="100%"><tr><td align="left"><nobr>[<a href="mime.html">Prev</a>]</nobr></td><td align="center" width="100%">[<a href="faq.html">TOC</a>][<a href="../mhonarc.html">Manual</a>][<a href="http://www.mhonarc.org/">Home</a>]</td><td align="right"><nobr>[Next]</nobr></td></tr></table>
</p>
<!--X-NavButtons-End-->
<!-- ===================================================================== -->
<HR>
<H2><a name="security">Security</a></H2>
<!--X-TOC-Start-->
<ul>
<li><a href="#contact">Who do I contact if I find a vulnerability with MHonArc?</a></li>
<li><a href="#spam">Can I obscure email addresses?</a></li>
<li><a href="#mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
<li><a href="#htmldata">Why are HTML messages a security risk?</a></li>
<li><a href="#htmlexchow">So how can I exclude HTML mail?</a></li>
<li><a href="#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
<li><a href="#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
</ul>
<!--X-TOC-End-->
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="contact">Who do I contact if I find a vulnerability with MHonArc?</a></b></h3>
</td></tr></table>
<p>You can do one of the following:
</p>
<ul>
<li><p>You can submit a report at
<a href="http://savannah.nongnu.org/bugs/?func=addbug&group=mhonarc"
><https://savannah.nongnu.org/bugs/?func=addbug&group=mhonarc></a>.
Make sure to fill out all required information, and for the
<b>Bug Group</b> form item, select <em>Security</em>.
</p>
<p><strong>Note:</strong> All reports submitted for MHonArc via savannah
are automatically mailed to the
<a href="mailto:mhonarc-dev%40mhonarc.org">mhonarc-dev<!--
-->@<!--
-->mhonarc.org</a>
list, which is archived at
<a href="http://www.mhonarc.org/archive/html/"
><http://www.mhonarc.org/archive/html/></a>.
</p>
</li>
<li><p>Or, you can send a mail message to
<a href="mailto:mhonarc%40mhonarc.org?subject=Security%20Vulnerability"
>mhonarc<!--
-->@<!--
-->mhonarc.org</a>. This address goes directly to the author(s) of
MHonArc, and is <strong>not</strong> archived on any public site.
</p></li>
</ul>
<p>Please indicate if it is okay to mention your name in any resulting
advisories or patches that may result from your report. If you do
not make any indications, all attempts will be made to keep your identity
confidential.
</p>
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="spam">Can I obscure email addresses?</a></b></h3>
</td></tr></table>
<p>See the <a href="../resources/spammode.html">SPAMMODE</a> resource.
</p>
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></b></h3>
</td></tr></table>
<p>MHonArc database files may contain information that you do
not want web users to directly access. The best example is when
your archive is customized to obscure email addresses. However,
in the MHonArc database file, the original, unobscured, addresses
exist.
</p>
<p>There are multiple solutions to preventing access to database
files:
</p>
<ul>
<li><p>In v2.6, and later, the
<a href="../resources/dbfileperms.html">DBFILEPERMS</a> resource
exists to control the file permissions of the database file. By default,
the resource is set to a value that denies world read access. If the
archive files are owned by a different user ID than the web server
process (which is normally the case), then access to database files
will be denied.
</p>
<table class="note" width="100%">
<tr valign="baseline">
<td><strong>NOTE:</strong></td>
<td width="100%"><p>DBFILEPERMS is applicable to Unix-based systems.
Therefore, if using a different operating system, you may have to
use one of the other solutions to deny access.
</p>
</td>
</tr>
</table>
</li>
<li><p>Generate the archive in a non-web accessible location, and
then mirror files into a web-accesible locations, excluding the
database file. The drawback to this approach is it adds extra
administrative and processing overhead.
</p>
<li><p>Generally, web servers provide the ability deny access
to files. Refer to your web server's documentation for the specifies.
If you are using the <a href="http://httpd.apache.org/">Apache HTTP server</a>,
the following configuration directive can be used:
</p>
<pre class="code">
<Files .mhonarc.db>
Order allow,deny
Deny from all
</Files>
</pre>
<p>If you have <tt>mod_rewrite</tt> enabled, you could use the following
instead:
</p>
<pre class="code">
RewriteRule ^(.*)/.mhonarc.db $1 [R=permanent]
</pre>
<p>This will redirect browsers to the parent directory, which is
the actual archive associated with database file.
</p>
</li>
<li><p>The <a href="../resources/dbfile.html">DBFILE</a> resource can
be used to rename the database file to some arbitrary, not easily
guessed, name of your choosing. However, this does not prevent brute
force attempts to access the file.
</p>
</li>
<li><p><a href="../resources/dbfile.html">DBFILE</a> resource can
be set to a full pathname that is in a non-web server
accessible location.
</p>
<table class="note" width="100%">
<tr valign="baseline">
<td><strong>NOTE:</strong></td>
<td width="100%"><p>
Using a full pathname for <a href="../resources/dbfile.html">DBFILE</a> is
supported only in v2.5.13, or later.
</p>
</td>
</tr>
</table>
</li>
</ul>
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="htmldata">Why are HTML messages a security risk?</a></b></h3>
</td></tr></table>
<p>HTML can contain dynamic content, like JavaScript. If an
HTML message is blindly archived, you are introducing foreign dynamic
content to your web site that you have no control over. The best
example of this danger is the problem web-based email sites (e.g.
Hotmail) encountered when malicious people were sending HTML messages
to web-based email users and the messages contained dynamic content
that would popup windows (which had a similiar style of the web-based
email hosting provider) requesting sensitive information from
users (like passwords).
</p>
<p>These types of attacks are classified as <em>Cross-Site
Scripting</em> (XSS) attacks by the security community. The common
goal for XSS attacks is to obtain private information of a user,
like browser cookies used for site authentication. </p>
<p>The following is a brief list of some of the security issues
related to HTML messages:
</p>
<ul>
<li>Can contain foreign dynamic content.
</li>
<li>Can autoload URLs (via IMG, and similiar, elements) which
can be used to collect statistics on unsuspected readers.
</li>
<li>Contain hidden contents (like server-side include comments)
which may be processed by web servers to execute arbitrary
programs or extract arbitrary system files.
</li>
</ul>
<p>MHonArc's HTML filter (documented under the <a href="../resources/mimefilters.html">MIMEFILTERS</a>)
resource provides functionality of stripping out HTML data to
minimize security exploits. Check the document for full details.
The general recommendation for the security conscience is to exclude
any HTML message data (see <a href="#htmlexchow">next question</a>).
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="htmlexchow">So how can I exclude HTML mail?</a></b></h3>
</td></tr></table>
<p>The quickest method is
via the <a href="../resources/mimeexcs.html">MIMEEXCS</a> resource:
<p>
<pre class="code">
<b><MIMEExcs></b>
text/html
text/x-html
<b></MIMEExcs></b>
</pre>
<p>Unfortunately, for messages that contain only HTML data, the
entire message body will be excluded. Therefore, you may still
want to show the data, but have it so the HTML markup is completely
neutralized. The following resource settings will neutralize the
dangers of HTML messages without excluding message data:
</p>
<pre class="code">
<!-- It is common for popular MUA's to provide a text/plain version
of the text/html version of a message body. Therefore, we
use MIMEALTPREFS to choose the text/plain version if available.
-->
<b><a href="../resources/mimealtprefs.html"><MimeAltPrefs></a></b>
text/plain
text/html
<b></MimeAltPrefs></b>
<!-- For messages that do not have a text/plain alternative, we
treat HTML data as text/plain so the content is not lost, but
HTML markup is escaped and neutralized.
-->
<b><a href="../resources/mimefilters.html"><MIMEFilters></a></b>
text/html; m2h_text_plain::filter; mhtxtplain.pl
text/x-html; m2h_text_plain::filter; mhtxtplain.pl
<b></MIMEFilters></b>
</pre>
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></b></h3>
</td></tr></table>
<p>A malicious person could send a message with an attachment filename
that could overwrite existing content or be interpreted by the web
server in some special manner to execute actions. Example: Apache
allows for the support for creating <tt>.htaccess</tt> files to allow
configuration settings within a directory. If you have this feature
enabled and a message containes an attachment with the specified
filename <tt>.htaccess</tt> and MHonArc blindly used the attachment
filename, the attachment will override any existing <tt>.htaccess</tt>
file you created with a version defined by the sender of the message.
</p>
<p>Another possibility is that web servers sometimes interpret
filenames with certain extensions as executable content, like
<tt>.shtml</tt>, <tt>.cgi</tt>, <tt>.phtml</tt>. If MHonArc used the
attachment filename, or even just the attachment filename extension,
anyone who can send mail that will be archived on your site can
introduce executable content.
</p>
<p>It is because of the above reasons that the
<a href="../resources/mimefilters.html#m2h_external"><tt>m2h_external::filter</tt></a>
documented in the <a href="../resources/mimefilters.html">MIMEFILTERS</a>
resource advises caution when using the filter options that enable
the usage of attachment filenames or filename extensions.
</p>
<!-- ??????????????????????????????????????????????????????????????? -->
<hr noshade size=1>
<table border=0>
<tr valign=baseline><td><img src="monicon.png" align="bottom" alt=""></td><td>
<h3><b><a name="suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></b></h3>
</td></tr></table>
<p><strong>NO!</strong> It is not okay. First, MHonArc does
not pass Perl's taint checks. Second, MHonArc is vulnerable to
symlink attacks. Hence, if <tt>mhonarc</tt> (or any of the utility
programs) is setuid, <tt>mhonarc</tt> can be used for local priviledge
escalation attacks.
</p>
<!-- ===================================================================== -->
<hr>
<!--X-NavButtons-Start-->
<table width="100%"><tr><td align="left"><nobr>[<a href="mime.html">Prev</a>]</nobr></td><td align="center" width="100%">[<a href="faq.html">TOC</a>][<a href="../mhonarc.html">Manual</a>][<a href="http://www.mhonarc.org/">Home</a>]</td><td align="right"><nobr>[Next]</nobr></td></tr></table>
</p>
<!--X-NavButtons-End-->
<HR>
<address>
$Date: 2005/05/25 19:51:01 $ <br>
<img align="top" src="monicon.png" alt="">
<a href="http://www.mhonarc.org/"
><strong>MHonArc</strong></a><br>
Copyright © 2002, <a href="http://www.earlhood.com/"
>Earl Hood</a>, <a href="mailto:mhonarc%40mhonarc.org"
>mhonarc<!--
-->@<!--
-->mhonarc.org</a><br>
</address>
</BODY>
</HTML>