[imp] IMP 2.2.6 (SECURITY) released
Mike Cisar
mcisar@starmania.net
Sat, 21 Jul 2001 18:11:54 -0600
Are there any plans to generate RPM's for these updated packages?
Cheers,
>>>>> Mike <<<<<
> -----Original Message-----
> From: Brent J. Nordquist [mailto:bjn@horde.org]
> Sent: Saturday, July 21, 2001 4:22 PM
> To: imp@lists.horde.org; announce@lists.horde.org
> Cc: bugtraq@securityfocus.com; lwn@lwn.net
> Subject: [imp] IMP 2.2.6 (SECURITY) released
>
>
> The Horde team announces the availability of IMP 2.2.6, which fixes three
> potential security issues. We strongly recommend that all sites running
> IMP 2.2.x upgrade to this version.
>
> (1) A PHPLIB vulnerability allowed an attacker to provide a value for
> the array element $_PHPLIB[libdir], and thus to get scripts from another
> server to load and execute. This vulnerability is remotely exploitable.
> (Horde 1.2.x ships with its own customized version of PHPLIB, which has
> now been patched to prevent this problem.)
>
> (2) By using tricky encodings of "javascript:" an attacker can cause
> malicious JavaScript code to execute in the browser of a user reading
> email sent by attacker. (IMP 2.2.x already filters many such patterns;
> several new ones that were slipping past the filters are now blocked.)
>
> (3) A hostile user that can create a publicly-readable file named
> "prefs.lang" somewhere on the Apache/PHP server can cause that file to be
> executed as PHP code. The IMP configuration files could thus be read,
> the Horde database password used to read and alter the database used to
> store contacts and preferences, etc. We do not believe this is remotely
> exploitable directly through Apache/PHP/IMP; however, shell access to
> the server or other means (e.g., FTP) could be used to create this file.
>
> This release also has a new Lithuanian translation.
>
> Download:
>
> This release can be downloaded from the following locations:
>
> ftp://ftp.horde.org/pub/horde/
> ftp://ftp.horde.org/pub/imp/
>
> MD5 checksums:
>
> 123d9b8b91f2526ece1595271d33d52c horde-1.2.6.tar.gz
> 10c5f9b73b1894a2c6b78e46935808ea imp-2.2.6.tar.gz
> f8126f1b60698e599a2d7a66b41632e4 patch-horde-1.2.5-1.2.6.gz
> f3b617e2cbd997ad406080440d30d554 patch-imp-2.2.5-2.2.6.gz
>
> Credits:
>
> The Horde Project would like to thank:
>
> - giancarlo pinerolo <giancarlo@navigare.net> for reporting problem (1)
> - Nick Cleaton <nick@cleaton.net> for reporting problem (2)
>
> Problem (3) was discovered during an internal audit resulting from the
> "Study in Scarlet" paper by Shaun Clowes <shaun@securereality.com.au>,
> to whom we're also grateful. Problem (3) was the only "scarlet"-type
> vulnerability discovered during the audit; the code looks very good in
> this regard.
>
> --
> Brent J. Nordquist <bjn@horde.org> N0BJN
> Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
>
>
> --
> IMP mailing list: http://horde.org/imp/
> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org