Hastymail - Security

Home
Features
Changes
News
Download
Security
Screenshots
Install
FAQ
Links
IRC logs
Snapshots

Affordable Custom
Built Web sites
and applications
www.greybeardinc.com

This is a page dedicated to explaining the security techniques used by Hastymail as well as some recommendations for properly configuring and using this webmail client with regards to security.

Security UPDATE 10-08-2006

An application security bybass method was discovered that could allow a user with a valid Hastymail account to send commands to either the IMAP or SMTP server directly by embeding an "end of command" sequence followed by a hand written command, into a Hastymail variable. Under normal circumstances Hastymail decides what IMAP and SMTP commands to send. Using this method a malicous user could send any command they wanted to either the IMAP or SMTP server software. If either one of these services is vulnerable to a remote exploit this application security bypass in Hastymail could give an attacker an avenue with which to attempt to exploit the IMAP or SMTP services. Again, only valid logged in Hastymail users could take advantage of this bypass. While I would not classify this issue as critical, I would urge everyone to upgrade to 1.5 if not already, and to apply the following patch:

Patch for Hastymail 1.5. Move to the top level hastymail directory and run "patch -p1 < patch_name"
hastymail_1.5_command_injection_fix.diff
The entire patch removes 2 lines and adds 1. Here is the diff -u output: diff -u -u hastymail-1.5/lib/session.php hastymail-1.5-patched/lib/session.php --- hastymail-1.5/lib/session.php 2006-10-08 17:19:58.000000000 -0500 +++ hastymail-1.5-patched/lib/session.php 2006-10-08 17:22:52.000000000 -0500 @@ -66,7 +66,7 @@ } break; case 'folder': - $checked[$key] = (string) $value; + $checked[$key] = (string) (str_replace(array("\n", "\r"), '', $value)); break; case 'int': $checked[$key] = (int) intval($value); diff -u -u hastymail-1.5/lib/smtp.php hastymail-1.5-patched/lib/smtp.php --- hastymail-1.5/lib/smtp.php 2006-10-08 17:18:31.000000000 -0500 +++ hastymail-1.5-patched/lib/smtp.php 2006-10-08 17:22:52.000000000 -0500 @@ -352,6 +352,7 @@ $smtp_message .= 'x-priority: '.$priority."\r\n"; } $smtp_message .= "MIME-Version: 1.0\r\n"; + $smtp_message = preg_replace("/^\.\r\n/", "..\r\n", $smtp_message); $size = 0; $bndry = ''; The first change removes new line characters from any variable that holds a mailbox name on any HTML POST or GET request. The second change checks and fixes outgoing message headers for the SMTP "end of data command" sequence (A single dot on a line alone).
The patch for the 1.0.2 version of hastymail, is the same patch with different line numbers. hastymail_1.0.2_command_injection_fix.diff The 1.0.2 version of hastymail has been made obsolete by the improvements in the development branch. Once the development branch hits 2.0 it will replace the stable series code. Until then security patches will continue to be made available for the stable series but users would be better served by the development releases.
I would like to thank Vicente Aguilera Diaz of Internet Security Auditors for the discovery and disclosure of this issue.

Security UPDATE 4-15-2005:

An information disclosure issue was found in the development version of Hastymail with the style.php file in which an attacker could abuse the file to read arbitrary files on the server (that are readable by the user the webserver runs as). No remote code execution is present from this however it does represent an unacceptable information disclosure risk so we recommend all users either apply the supplied patch, use the drop in replacement for style.php, or upgrade to the 1.4 (or newer) version of hastymail.

You can download updated versions of Hastymail here:
Upgrade to 1.4 or newer	Latest
-OR-
You can download a drop in replacement for style.php for Hastymail versions 1.1 - 1.3 Just download and untar this file and move it to hastymail/html/style.php.
style.tar.gz
-OR-
Lastly you can get a patch for hastymail versions 1.1 - 1.3 to style.php below. Just move the patch into the top hastymail directory and run "patch -p0 < patch_name"
style.php.diff

Security UPDATE 8-24-2004:

A security issue was found in both the stable and development versions of Hastymail that effects IE users and the "download" link on the message view page. If a user downloads a HTML part, even though the MIME type of the part is set to application/octect-stream, because we did not define the "attachment" paramater to the Content-Disposition HTTP header, Internet Explorer will look at the file extension and open the attachment inline. This is dangerous because the attachment is unfiltered at this point, and could contain Javascript or activeX code. With the fix in place Internet Explorer will not open the HTML file but instead prompt the user to save or open it.

You can download updated versions of Hastymail here:
Upgrade from Development 1.1	1.2 (this version also contains new features)
Upgrade from Stable 1.0.1	1.0.2
-OR-
If you are running 1.1 or 1.0.1 you can use this drop-in replacement for download.php. Just download and untar this file and move it to hastymail/html/download.php. It works for both 1.1 AND 1.0.1.
Drop in replacement file	download.php.tar.gz
-OR-
Lastly you can get a patch for 1.1 or 1.0.1 to download.php below. Just move the patch into the top hastymail directory and run "patch -p0 < patch_name"
patch for 1.0.1	hastymail-1.0.1_download_fix.diff
patch for 1.1	hastymail-1.1_download_fix.diff

Security Contact

The Hastymail developers want to provide a secure E-mail client that users can trust. If you believe you have found a security exploit for Hastymail, or simply have questions regarding Hastymail security, please contact us.

Project admin:
sailfrog@users.sourceforge.net

Development list:
hastymail-devel@lists.sourceforge.net

One of the great things about open source software is the collaborative effort of knowledgeable people making software better. Please be a part of the community and contact us with security related issues!

Hastymail Security

There are many security considerations that have an impact on web based applications especially for those involving E-mail.

Plain text transfer of HTTP. The HTTP protocol sends web pages and user input back and forth from the web browser to the server in plain text. To protect this data from prying eyes Hastymail should be hosted using HTTPS (Secure HTTP). Hastymail will work with either transparently.

Cross-site scripting. Cross-site scripting can allow users to gain more information from the server than you want them to have, or could allow one user to access the webmail account of another. Hastymail tackles this problem by attacking its source: The mis-use of un-initialized variables. Code development is done with verbose PHP warnings to make sure that all variables are properly initialized. All user supplied variables are checked with a special validate function to ensure that they are not being mis-used.

Web application sessions. Sessions are a way for a web application to save information between page loads. This is what keeps you logged in to Hastymail. The session has an id associated with it that, if stolen by another user could allow outside access to ones webmail account. Your session also contains an encrypted version of your password, which requires an encryption key to decipher. If you are running the Apache web server there is a method to create the encryption key so that it is still protected by normal user shell access, and only available to the root user. HTML formatted E-mail presents another risk as it contains HTML that is not part of the application. Aside from the techniques outlined above to avoid cross-site scripting Hastymail can also:

Remove nasty parts of HTML messages (like scripts) as well as images and links.
Run without any Javascript support in the web browser. Hastymail is all W3C compliant HTML
Use a dynamic session identifier that is only good for one page load, then expires. making it useless if "stolen".
Validate the current users IP address and browser string on each page load.
Use a cookie with a randomly generated value that changes on each page load to protect against session highjacking.

IMAP issues. Since Hastymail is a client application the security of your IMAP server is an important factor to securing your webmail setup. Like HTTP, The default IMAP data transfer is in plain text. There are some ways you can protect against this. If Hastymail and the IMAP server run on the same machine configuring the IMAP service to only run on the loopback device will make the IMAP traffic unavailable to outsiders. Also using secure IMAP on port 993 will encrypt your IMAP communication in the same way that HTTPS does for HTTP. Hastymail can be configured for IMAPS if you are running PHP 4.3 or greater. IMAP supplies several other methods to secure communications with a client, like the STARTTLS command, and other protected authentication mechanisms like CRAM-MD5. As of this time Hastymail supports CRAM-MD5, PLAIN, and LOGIN methods of authentication for IMAP.

PHP issues. PHP is a powerful, fast, easy-to-use web scripting language with a wide array of configuration options and built-in functions. While these features make a programmer's job easier it is not surprising that they also make PHP susceptible to security exploits. PHP includes functions that can be used to execute other applications on the server (Hastymail does not use any of these), and PHP has had a number of security related issues over the past releases. However PHP is actively developed and always improving, so keeping current with the latest stable PHP releases is an important way to keep your installation secure. Hastymail is not recommended (or supported!) for use with PHP versions less than 4.1. Hastymail does not use functions that may be exploitable (that we know of :) and should be run with the PHP register_globals option set to off. (all PHP scripts should). With slight modifications Hastymail can run in PHP's safe mode.