SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Hastymail Vendors:   hastymail.sourceforge.net
Hastymail May Execute Scripting Code in E-Mail Content When 'Download' is Selected
SecurityTracker Alert ID:  1011054
SecurityTracker URL:  http://securitytracker.com/id/1011054
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 25 2004
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.0.2
Description:   A vulnerability was reported in the Hastymail IMAP client. A remote user can send a malicious message to cause scripting code to be executed on the target user's computer.

The vendor reported that when a user invokes the 'download' link, Internet Explorer will launch and attempt to display attachments inline. As a result, scripting code in a message may be executed when the target user attempts to download the content.

The vendor credits Manish Raje with reporting this issue.

Impact:   The client may execute scripting code within a MIME attachment when download is selected.
Solution:   The vendor has released a fixed version (1.0.2 stable and 1.2 development), available at:

http://sourceforge.net/project/showfiles.php?group_id=66202

Some patches are also available.

Patch for 1.1:

http://hastymail.sourceforge.net/hastymail-1.1_download_fix.diff

Patch for 1.0.1:

http://hastymail.sourceforge.net/hastymail-1.0.1_download_fix.diff

Vendor URL:  hastymail.sourceforge.net/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Hastymail security update


---Software---

  Hastymail is a web based IMAP client written in PHP4 released under the
GNU GPL. More information about Hastymail can be found at our homepage: 

http://hastymail.sourceforge.net


---Problem---

  A problem was discovered yesterday regarding the use of the "download"
link to download message parts using Internet Explorer while on the message
view page. When using Internet Explorer and clicking on "download" for a
HTML message part it is possible that rather than prompt the user to save
the file it will open UNFILTERED in the user's web browser. Though we set
the MIME type of the file to be downloaded to application/octet-stream we
did not send the "attachment" paramater in the HTTP Content-Disposition
header, therefore Internet Explorer would assume the file should be
displayed inline, most likely looking at the filename extension to
determine how to open it.


---Fixes---

We have made patches for current versions and a drop in replacement file
available on our website. New versions of both our development and stable
series have also been released. The only difference between the new stable
version (1.0.2) and the prior version is a fix for this problem. The new
development version (1.2) also contains some other fixes and a few new
features.

patch for 1.1:
http://hastymail.sourceforge.net/hastymail-1.1_download_fix.diff

patch for 1.0.1:
http://hastymail.sourceforge.net/hastymail-1.0.1_download_fix.diff

drop in replacement file for BOTH 1.1 and 1.0.1:
http://hastymail.sourceforge.net/download.php.tar.gz

download 1.2 or 1.0.2:
http://sourceforge.net/project/showfiles.php?group_id=66202


---More information---

  As this issue could represent a way for activex or javascript to be
executed without user consent, we recommend all sites upgrade to the latest
version, use the drop-in replacement file, or patch their existing
installation. More information can be found on our security page at:

http://hastymail.sourceforge.net/security.php


Thanks to Manish Raje for reporting this issue. 

\__ Jason Munro
 \__ jason@stdbev.com
  \__ http://hastymail.sourceforge.net/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC