[Hastymail-devel] Re: Security Concerns with HastyMail 1.0.1 (update and patches)
Brought to you by:
sailfrog,
slushpupie
From: Jason M. <sai...@us...> - 2004-08-23 18:57:38
|
On 8:19:31 am 2004-08-23 "Manish Raje" <man...@pe...> wrote: > Hi HastyMailers > > I'm analyzing the security aspects of some of the popular > OpenSource WebEmail systems. > > HastyMail 1.0.1 works good on cleaning of HTML albeit > in the message view. All the good work goes for a toss when > the download link is clicked for downloading HTML. > > HastyMail opens up the HTML in the same window and this HTML is > unfiltered. Browser starts executing the HTML code unrestrained. > > Using this, I was able to invoke a ActiveX control on recipient's > machine by sending a HTML attachment in the email. > Also, because of this incorrect behavior, WebBugs get through. Here is an update. Bug found and fixed in development and stable CVS trees (adding the missing 'attachment' value to the Content-Disposition header does the trick). Attached are patches for 1.0.1 and 1.1 versions. They can be applied from the top level hastymail folder with: patch -p0 < patch_name Could someone pleas confirm for me that these do in fact cause there version of IE to now prompt the user for an action when selecting "download" for an HTML part? Patched versions work correctly here with a fully patche IE6 on win98. \_ Jason Munro \_ sai...@us... \_ http://hastymail.sourceforge.net/ |