IMP 2.2.7 (SECURITY) released

Brent J. Nordquist bjn@horde.org
Sat, 10 Nov 2001 09:05:26 -0600 (CST)


The Horde team announces the availability of IMP 2.2.7, which fixes a
potential session hijacking vulnerability using a cross-site scripting
(CSS) attack.  We recommend that all sites running IMP 2.2.x upgrade to
this version.

The Horde Project would like to thank João Pedro Gonçalves from the
Phibernet Information Network <megas@phibernet.org> for discovering this
problem and alerting us.  From his description:

> - It's possible to hijack an imp/horde session using a cross-site
> script attack, quite similar to the one explored by Marc Slemko in his
> "Microsoft Passport to Trouble" paper.
> 
> - After hijacking the cookies, the attacker can use the session and read
> the victim's mail.
> 
> - All stable imp webmail versions, up to 2.2.6 including are vulnerable,
> the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
> this vulnerability.

This release also has a new Chinese (Simplified) translation.

Download:

This release can be downloaded from the following locations:

	ftp://ftp.horde.org/pub/horde/
	ftp://ftp.horde.org/pub/imp/

MD5 checksums:

2433ed0e67739c41021b1a9397130a96  horde-1.2.7.tar.gz
b5c683e1dc862fd185c9be0ce7188894  imp-2.2.7.tar.gz
818199bc9a92cff07d109c4b43a22ffe  patch-horde-1.2.6-1.2.7.gz
556ddcabc72048ae53f4cfb00680e6f5  patch-imp-2.2.6-2.2.7.gz

-- 
Brent J. Nordquist <bjn@horde.org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942