[hypermail] Hypermail security

From: Franklin DeMatto <franklin.lists_at_qdefense.com_at_hypermail-project.org>
Date: Mon, 12 Nov 2001 11:33:30 -0500
Message-Id: <>

I'm curious as to whether the following issues have been looked into:

Can a user sneak nasty HTML into a message? Using <PRE> does not suffice, as an evil user can close it with </PRE>. Ideally, there should be a setting to convert any < and > into &lt; and &gt; , so that no evil HTML can get in. The entire message would need to be scanned. Of course, this would only work for text/plain, not text/html.

Has hypermail been audited for other security issues? Buffer overflows, and creation of local files with evil names (such as unwanted extensions) or properties (such as double dots in paths or x-bit on) come to mind.

Franklin DeMatto
Senior Analyst, qDefense Penetration Testing http://qDefense.com
qDefense: Making Security Accessible Received on Tue 13 Nov 2001 06:15:36 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT