CVE-2011-4542
published 2011-11-30CVE-2011-4542: Hastymail2 2.1.1 before RC2 allows remote attackers to execute arbitrary commands via the (1) rs or (2) rsargs[] parameter in a mailbox Drafts action to the…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
26.06%
97.7th percentile
Hastymail2 2.1.1 before RC2 allows remote attackers to execute arbitrary commands via the (1) rs or (2) rsargs[] parameter in a mailbox Drafts action to the default URI.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hastymail | hastymail2 | <= 2.1.1 | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
| hastymail | hastymail2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to the Hastymail default URI containing 'rs' or 'rsargs[]' parameters in a mailbox Drafts action — these are the injectable parameters. ↗
- →Detect exploitation attempts by monitoring POST requests to lib/ajax_functions.php for abuse of call_user_func_array() via the rs/rsargs[] parameters. ↗
- →The Metasploit module transmits the payload Base64-encoded in a custom HTTP header named 'Cmd' — inspect POST requests to /hastymail2/ for a non-standard 'Cmd' header containing Base64 data. ↗
- →Authentication is required before exploitation; monitor for a POST login to ?page=login followed immediately by a POST to the base Hastymail URI with a 'Cmd' header — this sequence indicates automated exploitation. ↗
- →Track the session cookie set after successful login (HTTP 303 redirect from ?page=login) and correlate it with subsequent suspicious POST requests to the Hastymail base path. ↗
- ·The default base path used by the Metasploit module is /hastymail2/ but may be customised by the attacker via TARGETURI — do not rely solely on path-based detection. ↗
- ·Exploitation requires valid credentials; unauthenticated scanning will not trigger the vulnerability. Detections should account for the mandatory prior authentication step. ↗
- ·Only Hastymail2 versions up to 2.1.1 RC1 are affected; 2.1.1 RC2 and later are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Hastymail 2.1.1 RC1 - Command Injection (Metasploit)
exploitdb·2012-07-12
CVE-2011-4542 Hastymail 2.1.1 RC1 - Command Injection (Metasploit)
Hastymail 2.1.1 RC1 - Command Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Hastymail 2.1.1 RC1 Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Hastymail
2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on
the "lib/ajax_functions.php" script. Authentication is required on Hastymail
in order to exploit the vulnerability. The module has been successfully tested
on Hastymail 2.1.1 RC1 over Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Auth
Metasploit
Hastymail 2.1.1 RC1 Command Injection
metasploit
Hastymail 2.1.1 RC1 Command Injection
Hastymail 2.1.1 RC1 Command Injection
This module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on the "lib/ajax_functions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully tested on Hastymail 2.1.1 RC1 over Ubuntu 10.04.
2011-11-30
Published