Info

Disclosure

Aug 24, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Hastymail contains a flaw that allows a remote cross site scripting attack. The flaw exists because email attachments are not properly defined in the Content-Disposition HTTP header, which will allow Internet Explorer to open it inline. This could allow a user to inject Javascript or activeX code in the attachement that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation, Misconfiguration
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.0.2, 1.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch provided by the vendor for versions 1.0.1 and 1.1.

Products

Jason Munro	Hastymail	1.0.1
		1.1

References

Security Tracker: 1011054
Bugtraq ID: 11022
Secunia Advisory ID: 12358
ISS X-Force ID: 17091
CVE ID: 2004-2704 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0322.html
Vendor Specific News/Changelog Entry: http://hastymail.sourceforge.net/security.php

Credit

Jason Munro - jasonstdbev.com -

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Jason Munro

Hastymail

References

Credit