{"edition": 1, "title": "Hastymail Attachment Content-Disposition Header XSS", "bulletinFamily": "software", "published": "2004-08-24T05:45:10", "lastseen": "2017-04-28T13:20:04", "modified": "2004-08-24T05:45:10", "reporter": "Jason Munro(jason@stdbev.com)", "viewCount": 4, "href": "https://vulners.com/osvdb/OSVDB:9131", "description": "## Vulnerability Description\nHastymail contains a flaw that allows a remote cross site scripting attack. The flaw exists because email attachments are not properly defined in the Content-Disposition HTTP header, which will allow Internet Explorer to open it inline. This could allow a user to inject Javascript or activeX code in the attachement that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2, 1.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch provided by the vendor for versions 1.0.1 and 1.1.\n## Short Description\nHastymail contains a flaw that allows a remote cross site scripting attack. The flaw exists because email attachments are not properly defined in the Content-Disposition HTTP header, which will allow Internet Explorer to open it inline. This could allow a user to inject Javascript or activeX code in the attachement that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor Specific News/Changelog Entry: http://hastymail.sourceforge.net/security.php\nSecurity Tracker: 1011054\n[Secunia Advisory ID:12358](https://secuniaresearch.flexerasoftware.com/advisories/12358/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0322.html\nISS X-Force ID: 17091\n[CVE-2004-2704](https://vulners.com/cve/CVE-2004-2704)\nBugtraq ID: 11022\n", "affectedSoftware": [{"name": "Hastymail", "version": "1.0.1", "operator": "eq"}, {"name": "Hastymail", "version": "1.1", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2017-04-28T13:20:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-2704"]}, {"type": "nessus", "idList": ["HASTYMAIL_ATTACHMENT_EXEC.NASL"]}], "modified": "2017-04-28T13:20:04", "rev": 2}, "vulnersScore": 5.6}, "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "cvelist": ["CVE-2004-2704"], "id": "OSVDB:9131"}

{"cve": [{"lastseen": "2020-12-09T19:21:34", "description": "Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) does not send the \"attachment\" parameter in the Content-Disposition field for attachments, which causes the attachment to be rendered inline by Internet Explorer when the victim clicks the download link, which facilitates cross-site scripting (XSS) and possibly other attacks.", "edition": 5, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-2704", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2704"], "modified": "2017-07-29T01:29:00", "cpe": ["cpe:/a:hastymail:hastymail:1.0.1", "cpe:/a:microsoft:ie:*", "cpe:/a:hastymail:hastymail:1.1"], "id": "CVE-2004-2704", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2704", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:ie:*:*:*:*:*:*:*:*", "cpe:2.3:a:hastymail:hastymail:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:hastymail:hastymail:1.0.1:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-20T11:31:49", "description": "The remote host is running HastyMail, a PHP-based mail client\napplication.\n\nThe installed version contains a flaw caused by email attachments not\nbeing properly defined int he Content-Disposition HTTP header. An\nattacker could exploit this flaw to inject Javascript or ActiveX code\nin an attachment.", "edition": 25, "published": "2004-08-25T00:00:00", "title": "HastyMail HTML Attachment Script Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2704"], "modified": "2004-08-25T00:00:00", "cpe": [], "id": "HASTYMAIL_ATTACHMENT_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/14370", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(14370);\n script_version(\"1.16\");\n\n script_cve_id(\"CVE-2004-2704\");\n script_bugtraq_id(11022);\n script_xref(name:\"Secunia\", value:\"12358\");\n \n script_name(english:\"HastyMail HTML Attachment Script Execution\");\n script_summary(english:\"Checks for version of HastyMail\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\na cross-site scripting vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running HastyMail, a PHP-based mail client\napplication.\n\nThe installed version contains a flaw caused by email attachments not\nbeing properly defined int he Content-Disposition HTTP header. An\nattacker could exploit this flaw to inject Javascript or ActiveX code\nin an attachment.\" );\n script_set_attribute(attribute:\"see_also\", \n value:\"https://seclists.org/bugtraq/2004/Aug/326\" \n );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to HastyMail 1.0.2 or 1.2.0, as this reportedly fixes the\nissue.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/08/25\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/08/24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"CGI abuses\";\n script_family(english:family[\"english\"]);\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port))exit(0);\n\nfunction check(loc)\n{\n local_var r;\n\n r = http_send_recv3(method: \"GET\", item:string(loc, \"/login.php\"), port:port);\n if (isnull(r)) exit(0);\n if(\"Hastymail\" >< r[2] && egrep(pattern:\"Hastymail (0\\.|1\\.0\\.[01]|1\\.1\\.)\", string: r[2]) )\n {\n \tsecurity_warning(port);\n\texit(0);\n }\n}\n\nforeach dir (cgi_dirs())\n{\n check(loc:dir);\n}\n\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}