• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: chuggnutt.com HTML to Plain Text Conversion Remote Code Execution Vulnerability

Severity: HIGH

Description:

'HTML to Plain Text Conversion' from chuggnutt.com is a PHP class for converting HTML to plain ASCII text.

The class is prone to a remote code-execution vulnerability because it fails to properly sanitize user-supplied input when using regular expressions to filter HTML code. Specifically, the PHP 'preg_replace()' function is used in an insecure manner in the 'html2text.php' script.

Attackers can exploit this issue to inject and execute malicious server-side script in the context of the application using the vulnerable class. Successful exploits will compromise the affected application and possibly the underlying computer.

The issue affects version 1.0 of the class; other versions may also be affected.

NOTE: This issue was initially reported in Roundcube Webmail. Note that RoundCube Webmail 0.2-1 alpha, 0.2-2 beta, and possibly other versions are vulnerable because they use the vulnerable 'HTML to Plain Text Conversion' class.

Affected Products:

• AtMail Open AtMail Open 1.03
• Mahara Mahara 1.1.1
• Mahara Mahara 1.1.2
• RedHat Fedora 8
• RedHat Fedora 9
• Round Cube RoundCube Webmail 0.2-1 alpha
• Round Cube RoundCube Webmail 0.2-3 beta
• Ubuntu Ubuntu Linux 8.04 LTS amd64
• Ubuntu Ubuntu Linux 8.04 LTS i386
• Ubuntu Ubuntu Linux 8.04 LTS lpia
• Ubuntu Ubuntu Linux 8.04 LTS powerpc
• Ubuntu Ubuntu Linux 8.04 LTS sparc
• Ubuntu Ubuntu Linux 8.10 amd64
• Ubuntu Ubuntu Linux 8.10 i386
• Ubuntu Ubuntu Linux 8.10 lpia
• Ubuntu Ubuntu Linux 8.10 powerpc
• Ubuntu Ubuntu Linux 8.10 sparc
• chuggnutt.com HTML to Plain Text Conversion 1.0

References:

• AtMail Open: AtMail Open Homepage
• Mahara: Security Announcements - Remote code execution in Mahara 1.1.2
• RealMurphy: Break-in possiblity via html2text.php
• Roundcube: Changeset 2148
• chuggnutt.com: PHP Class: HTML to Plain Text Conversion

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.