Re: [oss-security] CVE request: hastymail before 1.01 XSS

From: Josh Bressers <bressers_at_nospam>
Date: Thu Jan 06 2011 - 18:50:37 GMT
To: oss-security@lists.openwall.com

Please use CVE-2010-4646 for this.

Thanks.

-- JB ----- Original Message ----- > See > http://www.hastymail.org/security/ > > "Many thanks to Julien CAYSSOL who discovered and reported the issue. > The > specific problem is an XSS attack vector in HTML formatted messages > that takes > advantage of background attributes used with table cell elements. Due > to an > incorrect implementation of the new htmLawed HTML filter this > attribute value > was not properly sanitized and could be used to inject executable > JavaScript. > This was NOT a flaw in the htmLawed filter code itself, but a problem > with > it's specific use in Hastymail2. The Hastymail2 1.01 release was > pacakages > specifically to address this one issue. " > > -- > Hanno BÃ¶ck Blog: http://www.hboeck.de/ > GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de > > http://schokokeks.org - professional webhosting

This message: [ Message body ]
Next message: Josh Bressers: "Re: [oss-security] CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1"
Previous message: Steve Beattie: "Re: [oss-security] CVE request: patch directory traversal flaw"
In reply to: Hanno BÃ¶ck: "[oss-security] CVE request: hastymail before 1.01 XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]