Hastymail 'rs' And 'rsargs[]' Parameters Remote Code Injection Vulnerabilities Network Vulnerability

Summary

The host is running Hastymail2 and is prone to remote code injection vulnerabilities.

Impact

Successful exploitation will allow remote attackers to inject and execute arbitrary malicious code with the privileges of the user running the application. Impact Level: Application/System

Solution

Upgrade to Hastymail2 version 2.1.1 RC2 or later, For updates refer to http://www.hastymail.org/downloads/

Insight

The flaw is due to improper validation of user-supplied input via the 'rs' and 'rsargs[]' parameters to index.php (when 'page' is set to 'mailbox' and 'mailbox' is set to 'Drafts'), which allows attackers to execute arbitrary code in the context of an affected site.

Affected

Hastymail2 version 2.1.1

References

http://www.securityfocus.com/bid/50791
https://www.dognaedis.com/vulns/DGS-SEC-3.html
https://www.dognaedis.com/vulns/pdf/DGS-SEC-3.pdf

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4542
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AdPeeps 'index.php' Multiple Vulnerabilities.
Agora CGI Cross Site Scripting
Apache Struts2 Redirection and Security Bypass Vulnerabilities
ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
Alchemy Eye HTTP Command Execution

Hastymail 'rs' and 'rsargs[]' Parameters Remote Code Injection Vulnerabilities

Take action and discover your vulnerabilities