[imp] security of IMP - I need documentation

Andrew Morgan morgan at orst.edu
Tue Mar 18 14:28:34 PST 2003



On 18 Mar 2003, scott wrote:

> I am interested in promoting the use of IMP at my company, where we
> currently use OWA (but not to the outside).  The company wants a
> web-based email client on the Web.  One of the things I need to produce
> is evidence that Horde/IMP is more secure than opening up OWA to the
> Internet. I can find exploits that have affected OWA, but where can I
> find security-related info about IMP/Horde?
>
> Thanks,
>
> Scott Henderson

You probably need to examine the potential security vulnerabilities of
each component.

OWA
---
1. Windows 2000 Server (I'm assuming)
2. IIS
3. OWA
4. HTML/XSS

Horde/IMP
---------
1. Linux (I'm assuming)
2. Apache
3. PHP
4. Horde/IMP
5. HTML/XSS


So, compare each component between the two.  On the OWA side of things,
I'd be most concerned about IIS and Windows 2000 vulnerabilities, with
HTML/XSS a lesser concern.  On the Horde side of things, it's more of a
toss-up.  I don't see any glaring security concerns with any of those
pieces, although the HTML/XSS stuff can be a problem if you display html
email inline.

I know that isn't very definitive, but it seems that the backend of the
Horde solution is much more secure than the backend of the OWA solution.

Obviously, I'd be doing SSL for both solutions.

	Andy



More information about the imp mailing list