Home page logo

bugtraq logo Bugtraq mailing list archives

IMP 2.2.7 (SECURITY) released
From: "Brent J. Nordquist" <bjn () horde org>
Date: Sat, 10 Nov 2001 09:05:26 -0600 (CST)

The Horde team announces the availability of IMP 2.2.7, which fixes a
potential session hijacking vulnerability using a cross-site scripting
(CSS) attack.  We recommend that all sites running IMP 2.2.x upgrade to
this version.

The Horde Project would like to thank João Pedro Gonçalves from the
Phibernet Information Network <megas () phibernet org> for discovering this
problem and alerting us.  From his description:

- It's possible to hijack an imp/horde session using a cross-site
script attack, quite similar to the one explored by Marc Slemko in his
"Microsoft Passport to Trouble" paper.

- After hijacking the cookies, the attacker can use the session and read
the victim's mail.

- All stable imp webmail versions, up to 2.2.6 including are vulnerable,
the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
this vulnerability.

This release also has a new Chinese (Simplified) translation.


This release can be downloaded from the following locations:


MD5 checksums:

2433ed0e67739c41021b1a9397130a96  horde-1.2.7.tar.gz
b5c683e1dc862fd185c9be0ce7188894  imp-2.2.7.tar.gz
818199bc9a92cff07d109c4b43a22ffe  patch-horde-1.2.6-1.2.7.gz
556ddcabc72048ae53f4cfb00680e6f5  patch-imp-2.2.6-2.2.7.gz

Brent J. Nordquist <bjn () horde org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942

  By Date           By Thread  

Current thread:
  • IMP 2.2.7 (SECURITY) released Brent J. Nordquist (Nov 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]