Bug 20811 - mhonarc before 2.6.19 vulnerable to PHP code injection
Summary: mhonarc before 2.6.19 vulnerable to PHP code injection
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-09 08:20 CEST by Rémi Verschelde
Modified: 2017-05-19 11:29 CEST (History)
4 users (show)

See Also:
Source RPM: mhonarc-2.6.18-6.mga5
CVE:
Status comment:


Attachments

Description Rémi Verschelde 2017-05-09 08:20:14 CEST
As mentioned in the CHANGELOG of mhonarc [0], version 2.6.19 fixes:
"commentized subjects allow PHP code injection"

This vulnerability somehow stayed under our radar. It's only reverse dependency is sympa, which we use for our mailing lists, which were therefore vulnerable up to now (at the time of this writing mhonarc-2.6.19-1.mga5 is installed on our infra, fixing this issue).

[0] https://www.mhonarc.org/MHonArc/CHANGES
Comment 1 Rémi Verschelde 2017-05-09 08:25:35 CEST
Fixed in Cauldron, mhonarc-2.6.19-1.mga5 pushed to core/updates_testing.

Thanks to Frédéric Buclin for noticing this vulnerability.

Advisory:
=========

Updated mhonarc package fixes security vulnerability

  MHonArc before 2.6.19 is vulnerable to PHP code injection via commentized
  subjects. This update fixes it.

References:
 - https://www.mhonarc.org/MHonArc/CHANGES


RPMs in core/updates_testing:
=============================

mhonarc-2.6.19-1.mga5


SRPMs in core/updates_testing:
==============================

mhonarc-2.6.19-1.mga5

Assignee: bugsquad => qa-bugs

Comment 2 Rémi Verschelde 2017-05-09 08:27:24 CEST
Decreasing severity as upstream only recommends to upgrade *asap* to 2.6.18 (which we have), and treat 2.6.19 as a less urgent bugfix: https://www.mhonarc.org/


Testing: mhonarc's only reverse dependency is sympa, so testing sympa's archives should be sufficient. The update candidate is deployed on our infra, so if our archives on ml.mageia.org still work, that might be enough testing to validate.

Severity: critical => major

Comment 3 Herman Viaene 2017-05-09 10:42:22 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Trying to setup sympa on this old slow machine is too much.
Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality Assurance" I get "50 Gateway Timeout".

CC: (none) => herman.viaene

Comment 4 Rémi Verschelde 2017-05-09 10:51:59 CEST
> Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality
> Assurance" I get "50 Gateway Timeout".

Indeed, ml.mageia.org is having some troubles since a couple of weeks. It's not related to this mhonarc update, but it doesn't help validating it :)
Comment 5 Rémi Verschelde 2017-05-10 08:12:35 CEST
The ML website is kind of working now, and I could confirm that the archives work as expected: https://ml.mageia.org/l/arc/dev/
Dave Hodgins 2017-05-11 20:52:55 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Lewis Smith 2017-05-14 16:55:42 CEST
Before testing 64-bit, some backround.

"MHonArc provides HTML mail archiving with index, mail thread linking, etc;"
"MHonArc supports MH mail folders and UUCP/Unix mailbox files, so the term "mail folder" represents the MH mail folder or mailbox file to process."
That 'MH' matters. From the earlier test, it includes Opera mail; Claws also.

 https://www.mhonarc.org/MHonArc/doc/mhonarc.html
is a handy reference index page.

"MHonArc creates the following files after processing the mail folders:
    maillist.html: The main index file containing links to all mail messages converted. Messages are listed with subjects and who the messages are from. All messages are listed by the date.
    threads.html: The file listing messages by threads.
    msg*.html: HTML versions of the mail messages, where * represents a message number from 0 to the number of message processed minus 1.
    .mhonarc.db (or mhonarc.db under Windows): This database file contains archive information and resource settings for MHonArc to perform further updates.
    Other: If messages contain attachments, other files may be created for images, videos, binaries, etc.
By default, all files created are put into the current working directory. You can control the location of archive files by using the -outdir option."

 $ mhonarc -help
shows good info. But not man mhonarc.

 https://bugs.mageia.org/show_bug.cgi?id=3997 is where it was tested before - stand-alone. Current (pre-update) release is 2.6.18-6.

CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-05-14 19:06:11 CEST
Testing M5x64

BEFORE the update
Installed just mhonarc version above. To play with it directly, you need to specify the right path parameter for the mailbox messages. I think the number of trailing /*s should reflect the level of nesting in the mailbox. Thanks Dave for this invaluable pointer:
 https://bugs.mageia.org/show_bug.cgi?id=3997#c3
It produces at least one output file per message (msg + attachments), rather than a concatenated archive. So be ready for hundred or thousands files in the output directory, as per Comment 6.

Tried first with Opera, which stores messages in a date heirarchy per account:-
 $ mhonarc -output tmp/mh .opera/mail/store/account1/*/*/*/*
All those /*s were necessary! Lots of Perl errors, it ends:
 Writing tmp/mh/maillist.html ...
 Writing tmp/mh/threads.html ...
 Writing database ...
 2683 new messages
 2683 total messages

but the result pages:
 tmp/mh/maillist.html
 tmp/mh/threads.html
looked correct in a browser, and when followed. Cleared the output directory:
 $ rm -f tmp/mh/*

Then with Claws-mail, whose message organisation is per defined directory:-
 $ mhonarc -outdir tmp/mh /mnt/common/mail/*
Perhaps it needed a 2nd /* as I have that level of nesting; I did not check those sub-directories' content. Again lots of Perl errors, but the results were similar to above, and looked correct. Cleared the output directory.
 $ rm -f tmp/mh/*

AFTER update to: mhonarc-2.6.19-1.mga5
Opera:
 $ mhonarc -outdir tmp/mh ~/.opera/mail/store/account1/*/*/*/*
The result pages & messages in tmp/mh/ looked good, cleared it:
Claws-mail:
 $ mhonarc -outdir tmp/mh /mnt/common/mail/*
The result pages & messages in tmp/mh/ looked good, cleared it:
In both tests, there were no Perl errors; so that is an improvement.
Giving this the OK.

@Herman: do you want to have another go with a local mailbox? Use a special output directory to facilitate clearing it. It is really easy once you get the mailbox parameter right.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 8 Herman Viaene 2017-05-15 11:24:57 CEST
AFAICS is claws-mail an e-mail client, so I set it up to connect to my gmail account. Made sure there are 5 mails in the inbox and the at CLI:
$ mhonarc -outdir tmp/mh .claws-mail/*                   
This is MHonArc v2.6.19, Perl 5.020001 linux
Converting messages to tmp/mh
Reading .claws-mail/accountrc .
Warning: Could not parse date for message
         Message-Id: <f8ebbea3e29702b9486a6708c2ac9cc6@NO-ID-FOUND.mhonarc.org>
         Date: 
and 9 more like these, then:
Reading .claws-mail/messagesearch_history 
Reading .claws-mail/mimetmp 
Reading .claws-mail/newscache 
Reading .claws-mail/quicksearch_history 
Reading .claws-mail/summarysearch_adv_history 
Reading .claws-mail/summary_searchbody_history 
Reading .claws-mail/summarysearch_from_history 
Reading .claws-mail/summarysearch_subject_history 
Reading .claws-mail/summarysearch_to_history 
Reading .claws-mail/tagsdb 
Reading .claws-mail/tagsrc .
Warning: Could not parse date for message
         Message-Id: <393ea2153743b4c03b6484472e8b5739@NO-ID-FOUND.mhonarc.org>
         Date: 

Reading .claws-mail/tempfolder 
Reading .claws-mail/tmp 
Reading .claws-mail/toolbar_main.xml .
Warning: Could not parse date for message
         Message-Id: <9ad78fd2ca1d044df31fae85c55f4640@NO-ID-FOUND.mhonarc.org>
         Date: 

Reading .claws-mail/uidl 

Writing mail ............
Writing tmp/mh/maillist.html ...
Writing tmp/mh/threads.html ...
Writing database ...
12 new messages
12 total messages

But the files created do not show or refer to the messages, but the setup and log of the operations.
Note: /mnt/common/mail/ does not exist here.
Comment 9 Rémi Verschelde 2017-05-19 11:06:11 CEST
It has been tested successfully on our ml.mageia.org over the last 10 days, so it's good to validate.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-05-19 11:29:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0141.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.