IMP 2.2.6 (SECURITY) released

Brent J. Nordquist bjn@horde.org
Sat, 21 Jul 2001 17:22:22 -0500 (CDT)


The Horde team announces the availability of IMP 2.2.6, which fixes three
potential security issues.  We strongly recommend that all sites running
IMP 2.2.x upgrade to this version.

(1)  A PHPLIB vulnerability allowed an attacker to provide a value for
the array element $_PHPLIB[libdir], and thus to get scripts from another
server to load and execute.  This vulnerability is remotely exploitable.
(Horde 1.2.x ships with its own customized version of PHPLIB, which has
now been patched to prevent this problem.)

(2)  By using tricky encodings of "javascript:" an attacker can cause
malicious JavaScript code to execute in the browser of a user reading
email sent by attacker.  (IMP 2.2.x already filters many such patterns;
several new ones that were slipping past the filters are now blocked.)

(3)  A hostile user that can create a publicly-readable file named
"prefs.lang" somewhere on the Apache/PHP server can cause that file to be
executed as PHP code.  The IMP configuration files could thus be read,
the Horde database password used to read and alter the database used to
store contacts and preferences, etc.  We do not believe this is remotely
exploitable directly through Apache/PHP/IMP; however, shell access to
the server or other means (e.g., FTP) could be used to create this file.

This release also has a new Lithuanian translation.

Download:

This release can be downloaded from the following locations:

	ftp://ftp.horde.org/pub/horde/
	ftp://ftp.horde.org/pub/imp/

MD5 checksums:

123d9b8b91f2526ece1595271d33d52c  horde-1.2.6.tar.gz
10c5f9b73b1894a2c6b78e46935808ea  imp-2.2.6.tar.gz
f8126f1b60698e599a2d7a66b41632e4  patch-horde-1.2.5-1.2.6.gz
f3b617e2cbd997ad406080440d30d554  patch-imp-2.2.5-2.2.6.gz

Credits:

The Horde Project would like to thank:

 - giancarlo pinerolo <giancarlo@navigare.net> for reporting problem (1)
 - Nick Cleaton <nick@cleaton.net> for reporting problem (2)

Problem (3) was discovered during an internal audit resulting from the
"Study in Scarlet" paper by Shaun Clowes <shaun@securereality.com.au>,
to whom we're also grateful.  Problem (3) was the only "scarlet"-type
vulnerability discovered during the audit; the code looks very good in
this regard.

-- 
Brent J. Nordquist <bjn@horde.org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942