IMP 2.2.6 (SECURITY) released

From: Brent J. Nordquist (bjn@horde.org)
Date: Sun Jul 22 2001 - 00:22:22 CEST

  • Next message: secure@conectiva.com.br: "[CLA-2001:410] Conectiva Linux Security Announcement - imp"

    The Horde team announces the availability of IMP 2.2.6, which fixes three
    potential security issues. We strongly recommend that all sites running
    IMP 2.2.x upgrade to this version.

    (1) A PHPLIB vulnerability allowed an attacker to provide a value for
    the array element $_PHPLIB[libdir], and thus to get scripts from another
    server to load and execute. This vulnerability is remotely exploitable.
    (Horde 1.2.x ships with its own customized version of PHPLIB, which has
    now been patched to prevent this problem.)

    (2) By using tricky encodings of "javascript:" an attacker can cause
    malicious JavaScript code to execute in the browser of a user reading
    email sent by attacker. (IMP 2.2.x already filters many such patterns;
    several new ones that were slipping past the filters are now blocked.)

    (3) A hostile user that can create a publicly-readable file named
    "prefs.lang" somewhere on the Apache/PHP server can cause that file to be
    executed as PHP code. The IMP configuration files could thus be read,
    the Horde database password used to read and alter the database used to
    store contacts and preferences, etc. We do not believe this is remotely
    exploitable directly through Apache/PHP/IMP; however, shell access to
    the server or other means (e.g., FTP) could be used to create this file.

    This release also has a new Lithuanian translation.

    Download:

    This release can be downloaded from the following locations:

            ftp://ftp.horde.org/pub/horde/
            ftp://ftp.horde.org/pub/imp/

    MD5 checksums:

    123d9b8b91f2526ece1595271d33d52c horde-1.2.6.tar.gz
    10c5f9b73b1894a2c6b78e46935808ea imp-2.2.6.tar.gz
    f8126f1b60698e599a2d7a66b41632e4 patch-horde-1.2.5-1.2.6.gz
    f3b617e2cbd997ad406080440d30d554 patch-imp-2.2.5-2.2.6.gz

    Credits:

    The Horde Project would like to thank:

     - giancarlo pinerolo <giancarlo@navigare.net> for reporting problem (1)
     - Nick Cleaton <nick@cleaton.net> for reporting problem (2)

    Problem (3) was discovered during an internal audit resulting from the
    "Study in Scarlet" paper by Shaun Clowes <shaun@securereality.com.au>,
    to whom we're also grateful. Problem (3) was the only "scarlet"-type
    vulnerability discovered during the audit; the code looks very good in
    this regard.

    -- 
    Brent J. Nordquist <bjn@horde.org> N0BJN
    Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
    



    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 22:16:22 CEST