oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: hastymail before 1

Re: [oss-security] CVE request: hastymail before 1.01 XSS

From: Josh Bressers <bressers_at_nospam>
Date: Thu Jan 06 2011 - 18:50:37 GMT
To: oss-security@lists.openwall.com

Please use CVE-2010-4646 for this.

Thanks.

-- JB ----- Original Message ----- > See > http://www.hastymail.org/security/ > > "Many thanks to Julien CAYSSOL who discovered and reported the issue. > The > specific problem is an XSS attack vector in HTML formatted messages > that takes > advantage of background attributes used with table cell elements. Due > to an > incorrect implementation of the new htmLawed HTML filter this > attribute value > was not properly sanitized and could be used to inject executable > JavaScript. > This was NOT a flaw in the htmLawed filter code itself, but a problem > with > it's specific use in Hastymail2. The Hastymail2 1.01 release was > pacakages > specifically to address this one issue. " > > -- > Hanno Böck Blog: http://www.hboeck.de/ > GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de > > http://schokokeks.org - professional webhosting