Hastymail2
Hastymail2 is an Open Source IMAP webmail client written in PHP. Our focus is compliance, usability, security, and speed.
     


Security

    When the new Hastymail code is released this page will be a source of any security related updates or information. Application security is extremely important to us, so if you have any questions or comments please let us know. We support full disclosure of security issues, however if you find one in Hastymail please let us know before anything is disclosed to the public. This way we can build a fix and inform our users. We will work with and credit anyone who brings security issues to our attention.

Security related inquires can be sent to:

jason [at] hastymail [dot] org

or you can use the contact page send us a message.

 

Hastymail2 1.01 Stable released September 29, 2010 fixes a newly discovered cross site scripting issue.

Many thanks to Julien CAYSSOL who discovered and reported the issue. The specific problem is an XSS attack vector in HTML formatted messages that takes advantage of background attributes used with table cell elements. Due to an incorrect implementation of the new htmLawed HTML filter this attribute value was not properly sanitized and could be used to inject executable JavaScript. This was NOT a flaw in the htmLawed filter code itself, but a problem with it's specific use in Hastymail2. The Hastymail2 1.01 release was pacakages specifically to address this one issue. All users are encouraged to upgrade to this stable version, or to the latest version of SVN, both of which correct this problem. The latest stable version is available here:

 http://sourceforge.net/project/platformdownload.php?group_id=66202

The problem can also be fixed by replacing the filter with the current version from SVN. You can download the file here:

http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/lib/htmLawed.php?revision=1676

Copy this file over the current htmLawed.php file located here:

hastymail2/lib/htmLawed.php

Thanks again to Julien for reporting this issue!

 

Hastymail2 RC 8 released December 6, 2009 contains several security specific updates worth mentioning.

 These were introduced pro-actively and are not in response to any known security vulnerabilities

- The IMAP class has a new validation layer that examines IMAP commands that could contain possibly dangerous input and raises a fatal error if anything suspicious is found.

- The SMTP class has a similar validation layer that protects against possible command injection attacks.

- Session cookies now use both the secure cookie flag (when using HTTPS) and a specific cookie path to limit any undo exposure to sensitive information.

 

Hastymail2 1.1 RC2 Stable released November 10 2011, addresses two security issues

Two issues where discovered and disclosed by Bruno Teixeira regarding unsafe handling of AJAX callback assignments. These issues at worst could provide remote code execution attack vectors and all users are recommended to upgrade to the latest version to mitigate any potential problem.

 The latest version of Hastymail2 is available here:

   http://sourceforge.net/projects/hastymail/files/latest/download

Thanks Bruno for professionally disclosing these issues with enough lead time to provide a fix.

 

Get Hastymail at SourceForge.net. Fast, secure and Free Open Source software downloads