Mhonarc 2.5.x - Mail Header HTML Injection

Author: Steven Christey
type: remote
platform: linux
port: 
date_added: 2002-11-19  
date_updated: 2012-10-17  
verified: 1  
codes: CVE-2002-1307;OSVDB-7353  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 22026.txt  

source: https://www.securityfocus.com/bid/6204/info

A HTML injection vulnerability has been discovered in Mhonarc.

An attacker may exploit this issue by sending a specially constructed email containing malicious HTML code in the header section. When the vulnerable Mhonarc client converts the message to HTML, any malicious HTML code will be executed within the context of the displayed web page.

To: <someone@example.com>
From: <hacker@example.com>
Header<SCRIPT>hello</SCRIPT>def: whatever