[imp] IMP 2.2.4 (SECURITY) released

Darron Froese darron@froese.org
Fri, 02 Feb 2001 11:03:52 -0700


 
> The Horde team announces the availability of IMP 2.2.4 -- this version
> improves IMP's filtering of malicious HTML scripting constructs in HTML
> attachments, which can be used by an attacker to run scripting code in
> the user's browser.  Administrators of IMP 2.2.x production systems are
> encouraged to upgrade to prevent this kind of attack against your users.
> 
> This release also contains a long list of bug fixes and minor improvements,
> most notably the fix for attachment downloading for IE 5.5 users.  For a
> complete list of changes in this release, please consult the docs/CHANGES
> files.
> 
> Credits:
> 
> Thanks to Nick Cleaton <nick@cleaton.net> for reporting the HTML scripting
> vulnerability.  A specific exploit for this problem is known, but at
> his request we are not providing details at this time.  Other webmail
> products are also vulnerable to a similar attack, and this will give
> their developers a little more time to implement a fix.

It appears that the file:

imp/templates/menu/main.inc

has mysteriously changed its name from imp 2.2.3 to 2.2.4 to:

imp/templates/menu/menu.inc.

That's causing a little havoc with the imp patch not working too well - at
least on my default 2.2.3 install. ;-)

If you're having problems with the patch, just rename that file and it
should work just fine - it worked for me.
-- 
darron
darron@froese.org