Home page logo

fulldisclosure logo Full Disclosure mailing list archives

XSS in Horde IMP <=4.3.7, fetchmailprefs.php
From: Moritz Naumann <security () moritz-naumann com>
Date: Mon, 27 Sep 2010 18:32:36 +0200


Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)

The fetchmailprefs.php script fails to properly sanitize user supplied
input to the 'fm_id' URL parameter. If exploited, injected code will be
persistent (persistent XSS) and will execute once the user (manually)
accesses mail fetching preferences.

The following URL can be used as a proof of concept:

Prior authentication to IMP is required for immediate exploitation.
Follow-up authentication is also possible if the victims' IMP
configuration has folder maintenance options disabled.

This issue has been fixed by Jan Schneider of the Horde Project:

According to him, Horde IMP v4.3.8 (or a release candidate) which fixes
this issue is to be released within the week. Release announcements will
likely be communicated through

Credits for this discovery:

Moritz Naumann
Naumann IT Security Consulting, Berlin, Germany

Thanks for reading,


Naumann IT Security Consulting
Samariterstr. 16
10247 Berlin

Web     http://moritz-naumann.com
GPG     http://moritz-naumann.com/keys/0x277F060C.asc
        17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C

Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • XSS in Horde IMP <=4.3.7, fetchmailprefs.php Moritz Naumann (Sep 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]