CSS vulnerabilities in IMP 3.0

From: Brent J. Nordquist (bjnat_private)
Date: Thu Jun 13 2002 - 07:01:00 PDT

  • Next message: Patrick Smith: "simpleinit root exploit - file descriptor left open"

    This is an update to the following security notification:
    On Sat, 6 Apr 2002, Brent J. Nordquist <bjnat_private> wrote:
    > The Horde team announces the availability of IMP 2.2.8, which prevents
    > some potential cross-site scripting (CSS) attacks.
    > [...]
    > The Horde Project would like to thank Nuno Loureiro <nunoat_private>
    > for discovering this problem and providing a very thorough analysis.
    Sites using IMP 3.0 should note that IMP 3.0 is also vulnerable to these
    attacks, but IMP 3.1 (final released this week) is not.  Therefore, IMP
    3.0 users are encouraged to upgrade to IMP 3.1 to prevent these potential
    IMP 3.1 can be downloaded from the following location (Horde 2.0 does not
    need to be upgraded; it will work with IMP 3.1):
    MD5 checksums:
    MD5 (imp-3.1.tar.gz) = 73ff42a32e3ee3617fd411be356cb70f                         
    MD5 (patch-imp-3.0-3.1.gz) = a7c9330ab1df2cd727c4aeb858138821  
    Brent J. Nordquist <bjnat_private> N0BJN
    Other contact information: http://www.nordist.net/contact.html

    This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 07:24:49 PDT