Hastymail HTML allows script execution

hastymail-html-script-execution (17091) The risk level is classified as MediumMedium Risk

Description:

Hastymail is vulnerable to script execution, caused by an improper header response. A remote attacker could embed malicious code in a specially-crafted attachment, which would be executed in the victim's Web browser within the security context of the hosting site, once the attachment is downloaded. A remote attacker could use this vulnerability to execute arbitrary HTML and script code.

Platforms Affected:

  • Hastymail, Hastymail 1.0.1 and prior
  • Hastymail, Hastymail 1.1 and prior

Remedy:

For Hastymail Stable 1.0.1 and prior:
Upgrade to the latest version of Hastymail (1.0.2 or later) available from the Hastymail Web site. See References.

For Hastymail Development 1.1 and prior:
Upgrade to the latest version of Hastymail (1.2 or later) available from the Hastymail Web site. See References.

Consequences:

Gain Access

References:

  • Hastymail Web site, Hastymail - Main page at http://hastymail.sourceforge.net.
  • BID-11022: Hastymail HTML Attachment Script Execution Vulnerability
  • CVE-2004-2704: Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) does not send the attachment parameter in the Content-Disposition field for attachments, which causes the attachment to be rendered inline by Internet Explorer when the victim clicks the download link, which facilitates cross-site scripting (XSS) and possibly other attacks.
  • OSVDB ID: 9131: Hastymail Attachment Content-Disposition Header XSS
  • SA12358: Hastymail Script Insertion Vulnerability
  • SECTRACK ID: 1011054: Hastymail May Execute Scripting Code in E-Mail Content When `Download` is Selected

Reported:

Aug 24, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page