[announce] CSS vulnerabilities in IMP 3.0

Brent J. Nordquist bjn@horde.org
Thu, 13 Jun 2002 09:01:00 -0500 (CDT)

This is an update to the following security notification:

On Sat, 6 Apr 2002, Brent J. Nordquist <bjn@horde.org> wrote:

> The Horde team announces the availability of IMP 2.2.8, which prevents
> some potential cross-site scripting (CSS) attacks.
> [...]
> The Horde Project would like to thank Nuno Loureiro <nuno@eth.pt>
> for discovering this problem and providing a very thorough analysis.

Sites using IMP 3.0 should note that IMP 3.0 is also vulnerable to these
attacks, but IMP 3.1 (final released this week) is not.  Therefore, IMP
3.0 users are encouraged to upgrade to IMP 3.1 to prevent these potential

IMP 3.1 can be downloaded from the following location (Horde 2.0 does not
need to be upgraded; it will work with IMP 3.1):


MD5 checksums:

MD5 (imp-3.1.tar.gz) = 73ff42a32e3ee3617fd411be356cb70f                         
MD5 (patch-imp-3.0-3.1.gz) = a7c9330ab1df2cd727c4aeb858138821  

Brent J. Nordquist <bjn@horde.org> N0BJN
Other contact information: http://www.nordist.net/contact.html