This is a page dedicated to explaining the security techniques used by
Hastymail as well as some recommendations for properly configuring and using
this webmail client with regards to security.
Security UPDATE 8-24-2004:
A security issue was found in both the stable and
development versions of Hastymail that effects IE users and the
"download" link on the message view page. If a user downloads a HTML
part, even though the MIME type of the part is set to
application/octect-stream, because we did not define the "attachment"
paramater to the Content-Disposition HTTP header, Internet Explorer
will look at the file extension and open the attachment inline. This is
dangerous because the attachment is unfiltered at this point, and could
contain Javascript or activeX code. With the fix in place Internet
Explorer will not open the HTML file but instead prompt the user to
save or open it.
|
You can download updated versions of Hastymail here: | |
Upgrade from Development 1.1 | 1.2 (this version also contains new features) |
|
Upgrade from Stable 1.0.1 | 1.0.2 |
|
-OR- | | If you are running 1.1 or 1.0.1 you can use this drop-in replacement for download.php.
Just download and untar this file and move it to hastymail/html/download.php. It works for both
1.1 AND 1.0.1. | |
Drop in replacement file | download.php.tar.gz |
|
-OR-
| |
Lastly you can get a patch for 1.1 or 1.0.1 to download.php below. Just move the patch into
the top hastymail directory and run "patch -p0 < patch_name" | |
patch for 1.0.1 |
hastymail-1.0.1_download_fix.diff | |
patch for 1.1 |
hastymail-1.1_download_fix.diff |
Security Contact
The Hastymail developers want to provide a secure E-mail client that
users can trust. If you believe you have found a security exploit for Hastymail,
or simply have questions regarding Hastymail security, please contact us.
Project admin:
sailfrog@users.sourceforge.net
Development list:
hastymail-devel@lists.sourceforge.net
One of the great things about open source software is the collaborative effort
of knowledgeable people making software better. Please be a part of the community and
contact us with security related issues!Hastymail Security
There are many security considerations that have an impact on web based applications especially for
those involving E-mail.
Plain text transfer of HTTP. The HTTP protocol sends web pages and user input back and forth
from the web browser to the server in plain text. To protect this data from prying eyes Hastymail
should be hosted using HTTPS (Secure HTTP). Hastymail will work with either transparently.
Cross-site scripting. Cross-site scripting can allow users to gain more information from the
server than you want them to have, or could allow one user to access the webmail account of another.
Hastymail tackles this problem by attacking its source: The mis-use of un-initialized variables.
Code development is done with verbose PHP warnings to make sure that all variables are properly
initialized. All user supplied variables are checked with a special validate function to ensure
that they are not being mis-used.
Web application sessions. Sessions are a way for a web application to save information between
page loads. This is what keeps you logged in to Hastymail. The session has an id associated with it
that, if stolen by another user could allow outside access to ones webmail account. Your session
also contains an encrypted version of your password, which requires an encryption key to decipher.
If you are running the Apache web server there is a method to create the encryption key so that
it is still protected by normal user shell access, and only available to the root user. HTML formatted
E-mail presents another risk as it contains HTML that is not part of the application. Aside from the
techniques outlined above to avoid cross-site scripting Hastymail can also:
-
Remove nasty parts of HTML messages (like scripts) as well as images and links.
-
Run without any Javascript support in the web browser. Hastymail is all W3C compliant HTML
-
Use a dynamic session identifier that is only good for one page load, then expires. making it
useless if "stolen".
-
Validate the current users IP address and browser string on each page load.
IMAP issues. Since Hastymail is a client application the security of your IMAP server is an important
factor to securing your webmail setup. Like HTTP, The default IMAP data transfer is in plain text.
There are some ways you can protect against this. If Hastymail and the IMAP server run on the same
machine configuring the IMAP service to only run on the loopback device will make the IMAP traffic
unavailable to outsiders. Also using secure IMAP on port 993 will encrypt your IMAP communication in
the same way that HTTPS does for HTTP. Hastymail can be configured for IMAPS if you are running PHP
4.3 or greater. IMAP supplies several other methods to secure communications with a client, like the
STARTTLS command, and other protected authentication mechanisms like CRAM-MD5. As of this time Hastymail
does not support these but hopes to in the future. In the meantime running over the local loopback or
using IMAPS will protect your IMAP transmissions.
PHP issues. PHP is a powerful, fast, easy-to-use web scripting language with a wide array
of configuration options and built-in functions. While these features make a programmer's job easier
it is not surprising that they also make PHP susceptible to security exploits. PHP includes functions that
can be used to execute other applications on the server (Hastymail does not use any of these),
and PHP has had a number of security related issues over the past releases. However PHP is actively developed
and always improving, so keeping current with the latest stable PHP releases is
an important way to keep your installation secure. Hastymail is not recommended (or supported!) for use with
PHP versions less than 4.1. Hastymail does not use functions that may be exploitable (that we know of :) and
should be run with the PHP register_globals option set to off. (all PHP scripts should). With slight modifications
Hastymail can run in PHP's safe mode.
Jason Munro (sailfrog)
|
|