oss-sec mailing list archives
CVE request: hastymail before 1.01 XSS
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 5 Jan 2011 12:24:40 +0100
See http://www.hastymail.org/security/ "Many thanks to Julien CAYSSOL who discovered and reported the issue. The specific problem is an XSS attack vector in HTML formatted messages that takes advantage of background attributes used with table cell elements. Due to an incorrect implementation of the new htmLawed HTML filter this attribute value was not properly sanitized and could be used to inject executable JavaScript. This was NOT a flaw in the htmLawed filter code itself, but a problem with it's specific use in Hastymail2. The Hastymail2 1.01 release was pacakages specifically to address this one issue. " -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de http://schokokeks.org - professional webhosting
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request: hastymail before 1.01 XSS Hanno Böck (Jan 05)
- Re: CVE request: hastymail before 1.01 XSS Josh Bressers (Jan 06)