Hastymail2

Hastymail2 is an Open Source IMAP webmail client written in PHP. Our focus is compliance, usability, security, and speed.
     


Security

    When the new Hastymail code is released this page will be a source of any security related updates or information. Application security is extremely important to us, so if you have any questions or comments please let us know. We support full disclosure of security issues, however if you find one in Hastymail please let us know before anything is disclosed to the public. This way we can build a fix and inform our users. We will work with and credit anyone who brings security issues to our attention.

Security related inquires can be sent to:

jason [at] hastymail [dot] org

or you can use the contact page send us a message.

 

Hastymail2 1.1 Stable released August 20, 2012 fixes two recently disclosed security issues.

Two security issues have been recently discovered in Hastymail. Both are fixed in this latest release. All users are encouraged to upgrade to the 1.1 version to protect themselves from these issues.

Remote code execution: In order for this issue to be exploitable sites must have the notices plugin enabled in Hastymail, and register_globals and allow_url_fopen enabled in  PHP. It is STRONGLY recommended that you do not have register_globals enabled in PHP. Upgrading to the 1.1 version resolves this bug, or you can update the hastymail2/plugins/notices/test_sounds.php file to the latest version in SVN found here:

 http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plugins/notices/test_sound.php?revision=2074

XXS exploit on thread view: Shai Rod reported an issue on the thread view page that allows specially crafted message subjects to execute javascript code when viewed on the thread view page. Several files had to be modified to correct this issue so it is recommended that sites upgrade to version 1.1 to mitigate this issue.

Thanks to everyone who has reported security issues. Your efforts help us make Hastymail more secure! 

 

Hastymail2 1.01 Stable released September 29, 2010 fixes a newly discovered cross site scripting issue.

Many thanks to Julien CAYSSOL who discovered and reported the issue. The specific problem is an XSS attack vector in HTML formatted messages that takes advantage of background attributes used with table cell elements. Due to an incorrect implementation of the new htmLawed HTML filter this attribute value was not properly sanitized and could be used to inject executable JavaScript. This was NOT a flaw in the htmLawed filter code itself, but a problem with it's specific use in Hastymail2. The Hastymail2 1.01 release was pacakages specifically to address this one issue. All users are encouraged to upgrade to this stable version, or to the latest version of SVN, both of which correct this problem. The latest stable version is available here:

 http://sourceforge.net/project/platformdownload.php?group_id=66202

The problem can also be fixed by replacing the filter with the current version from SVN. You can download the file here:

http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/lib/htmLawed.php?revision=1676

Copy this file over the current htmLawed.php file located here:

hastymail2/lib/htmLawed.php

Thanks again to Julien for reporting this issue!

 

Hastymail2 RC 8 released December 6, 2009 contains several security specific updates worth mentioning.

 These were introduced pro-actively and are not in response to any known security vulnerabilities

- The IMAP class has a new validation layer that examines IMAP commands that could contain possibly dangerous input and raises a fatal error if anything suspicious is found.

- The SMTP class has a similar validation layer that protects against possible command injection attacks.

- Session cookies now use both the secure cookie flag (when using HTTPS) and a specific cookie path to limit any undo exposure to sensitive information.

 

Hastymail2 1.1 RC2 Stable released November 10 2011, addresses two security issues

Two issues where discovered and disclosed by Bruno Teixeira regarding unsafe handling of AJAX callback assignments. These issues at worst could provide remote code execution attack vectors and all users are recommended to upgrade to the latest version to mitigate any potential problem.

 The latest version of Hastymail2 is available here:

   http://sourceforge.net/projects/hastymail/files/latest/download

Thanks Bruno for professionally disclosing these issues with enough lead time to provide a fix.

 

Get Hastymail at SourceForge.net. Fast, secure and Free Open Source software downloads