Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

Bugtraq ID:	50791
Class:	Input Validation Error
CVE:	CVE-2011-4542
Remote:	Yes
Local:	No
Published:	Nov 23 2011 12:00AM
Updated:	Jul 12 2012 04:30PM
Credit:	BTeixeira
Vulnerable:
Not Vulnerable:

Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

Hastymail is prone to multiple remote code-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to inject and execute arbitrary malicious code with the privileges of the user running the application.

Hastymail 2.1.1 is vulnerable; other versions may also be affected.

Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

An attacker can exploit this issue through a browser.

The following exploit code is available:

• /data/vulnerabilities/exploits/50791.rb

Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

References:

• Hastymail2 Homepage (Hastymail)
  
• RCI Vulnerability in Hastymail (ver. 2.1.1) (Dognadis)