| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Aug 2004 10:31:13 -0500 From: "Jason Munro" <jason@...bev.com> To: <bugtraq@...urityfocus.com> Subject: Hastymail security update ---Software--- Hastymail is a web based IMAP client written in PHP4 released under the GNU GPL. More information about Hastymail can be found at our homepage: http://hastymail.sourceforge.net ---Problem--- A problem was discovered yesterday regarding the use of the "download" link to download message parts using Internet Explorer while on the message view page. When using Internet Explorer and clicking on "download" for a HTML message part it is possible that rather than prompt the user to save the file it will open UNFILTERED in the user's web browser. Though we set the MIME type of the file to be downloaded to application/octet-stream we did not send the "attachment" paramater in the HTTP Content-Disposition header, therefore Internet Explorer would assume the file should be displayed inline, most likely looking at the filename extension to determine how to open it. ---Fixes--- We have made patches for current versions and a drop in replacement file available on our website. New versions of both our development and stable series have also been released. The only difference between the new stable version (1.0.2) and the prior version is a fix for this problem. The new development version (1.2) also contains some other fixes and a few new features. patch for 1.1: http://hastymail.sourceforge.net/hastymail-1.1_download_fix.diff patch for 1.0.1: http://hastymail.sourceforge.net/hastymail-1.0.1_download_fix.diff drop in replacement file for BOTH 1.1 and 1.0.1: http://hastymail.sourceforge.net/download.php.tar.gz download 1.2 or 1.0.2: http://sourceforge.net/project/showfiles.php?group_id=66202 ---More information--- As this issue could represent a way for activex or javascript to be executed without user consent, we recommend all sites upgrade to the latest version, use the drop-in replacement file, or patch their existing installation. More information can be found on our security page at: http://hastymail.sourceforge.net/security.php Thanks to Manish Raje for reporting this issue. \__ Jason Munro \__ jason@...bev.com \__ http://hastymail.sourceforge.net/
Powered by blists - more mailing lists