[imp] IMP 2.2.6 (SECURITY) released

Mike Cisar mcisar@starmania.net
Sat, 21 Jul 2001 18:11:54 -0600


Are there any plans to generate RPM's for these updated packages?

Cheers,
>>>>> Mike <<<<<

> -----Original Message-----
> From: Brent J. Nordquist [mailto:bjn@horde.org]
> Sent: Saturday, July 21, 2001 4:22 PM
> To: imp@lists.horde.org; announce@lists.horde.org
> Cc: bugtraq@securityfocus.com; lwn@lwn.net
> Subject: [imp] IMP 2.2.6 (SECURITY) released
> 
> 
> The Horde team announces the availability of IMP 2.2.6, which fixes three
> potential security issues.  We strongly recommend that all sites running
> IMP 2.2.x upgrade to this version.
> 
> (1)  A PHPLIB vulnerability allowed an attacker to provide a value for
> the array element $_PHPLIB[libdir], and thus to get scripts from another
> server to load and execute.  This vulnerability is remotely exploitable.
> (Horde 1.2.x ships with its own customized version of PHPLIB, which has
> now been patched to prevent this problem.)
> 
> (2)  By using tricky encodings of "javascript:" an attacker can cause
> malicious JavaScript code to execute in the browser of a user reading
> email sent by attacker.  (IMP 2.2.x already filters many such patterns;
> several new ones that were slipping past the filters are now blocked.)
> 
> (3)  A hostile user that can create a publicly-readable file named
> "prefs.lang" somewhere on the Apache/PHP server can cause that file to be
> executed as PHP code.  The IMP configuration files could thus be read,
> the Horde database password used to read and alter the database used to
> store contacts and preferences, etc.  We do not believe this is remotely
> exploitable directly through Apache/PHP/IMP; however, shell access to
> the server or other means (e.g., FTP) could be used to create this file.
> 
> This release also has a new Lithuanian translation.
> 
> Download:
> 
> This release can be downloaded from the following locations:
> 
> 	ftp://ftp.horde.org/pub/horde/
> 	ftp://ftp.horde.org/pub/imp/
> 
> MD5 checksums:
> 
> 123d9b8b91f2526ece1595271d33d52c  horde-1.2.6.tar.gz
> 10c5f9b73b1894a2c6b78e46935808ea  imp-2.2.6.tar.gz
> f8126f1b60698e599a2d7a66b41632e4  patch-horde-1.2.5-1.2.6.gz
> f3b617e2cbd997ad406080440d30d554  patch-imp-2.2.5-2.2.6.gz
> 
> Credits:
> 
> The Horde Project would like to thank:
> 
>  - giancarlo pinerolo <giancarlo@navigare.net> for reporting problem (1)
>  - Nick Cleaton <nick@cleaton.net> for reporting problem (2)
> 
> Problem (3) was discovered during an internal audit resulting from the
> "Study in Scarlet" paper by Shaun Clowes <shaun@securereality.com.au>,
> to whom we're also grateful.  Problem (3) was the only "scarlet"-type
> vulnerability discovered during the audit; the code looks very good in
> this regard.
> 
> -- 
> Brent J. Nordquist <bjn@horde.org> N0BJN
> Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
> 
> 
> -- 
> IMP mailing list: http://horde.org/imp/
> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org