oss-sec mailing list archives

Re: CVE request: hastymail before 1.01 XSS

From: Josh Bressers <bressers () redhat com>
Date: Thu, 6 Jan 2011 13:50:37 -0500 (EST)

Please use CVE-2010-4646 for this.

Thanks.

-- 
     JB

----- Original Message -----

See
http://www.hastymail.org/security/

"Many thanks to Julien CAYSSOL who discovered and reported the issue.
The
specific problem is an XSS attack vector in HTML formatted messages
that takes
advantage of background attributes used with table cell elements. Due
to an
incorrect implementation of the new htmLawed HTML filter this
attribute value
was not properly sanitized and could be used to inject executable
JavaScript.
This was NOT a flaw in the htmLawed filter code itself, but a problem
with
it's specific use in Hastymail2. The Hastymail2 1.01 release was
pacakages
specifically to address this one issue. "

--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de

http://schokokeks.org - professional webhosting

Current thread:

CVE request: hastymail before 1.01 XSS Hanno Böck (Jan 05)
- Re: CVE request: hastymail before 1.01 XSS Josh Bressers (Jan 06)