Hastymail2

Hastymail2 is an Open Source IMAP webmail client written in PHP. Our focus is compliance, usability, security, and speed.
     
2015-04-16 Update:

Sadly Hastymail2 is no longer being maintained. Happily this is because we are working on a new web-based E-mail client, called Cypht. If you need support your best bet is the #hastymail IRC channel at freenode. Thanks to everyone who contributed to and supported this project!

Hastymail2 1.01 Stable Released

   We have a new stable release available to address a recently discovered cross site scripting issue. The only change to the code over the 1.0 release is this specific fix. It's unfortunate to have a security issue pop up so soon after the first stable release, but it does indicate that we are getting some increased publicity (sourceforge stats support this also). Having people searching for flaws in our code really helps us make Hastymail2 more secure. Read on for details of the specific issue and what can be done to resolve the problem.

   The cross site scripting issue was discovered and reported by Julien CAYSSOL. It is triggered by a malformed background attribute in a table element (table, tr, td) contained in an HTML E-mail. The result of this flaw is that it allows javascript to be executed from within an HTML message for effected browsers, which is currently limited to Internet Explorer. We use htmLawed to filter javascript out of HTML messages bodies, and under normal use htmLawed removes these attributes from table elements (they are not valid HTML), however due to feedback from testers I altered the filtering mechanism to allow these attributes as they are commonly used in HTML formatted messages. When altering the filter to allow this tag I failed to also configure it to be properly sanitized. Just to be clear, this problem is NOT a bug in htmLawed, rather our implementation of it.

   To resolve this problem sites can upgrade to the 1.01 release, which does not contain any additional code changes except the patch to address this issue.  You can also download the current version of the filter from SVN and overwrite the file in your Hastymail 1.0 installation.

http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/lib/htmLawed.php?revision=1676

Copy this file over the current htmLawed.php file located here:

hastymail2/lib/htmLawed.php

Thanks again to Julien for reporting this issue. Security is important to us and anyone who finds a problem and reports it will be given full credit on our security page. We believe in full disclosure of security bugs, but we greatly appreciate it when bugs are reported to our development team first so we can produce a fix for our users before publicly announcing the situation.


Images
No Images with this post
Comments
No comments posted yet

Add a comment

Name:
Email:
Subject:
Comment:
Security Image:
security image
Enter the letters you see above.
Get Hastymail at SourceForge.net. Fast, secure and Free Open Source software downloads