The following mail was sent to suse-security a while ago. Today I looked up the patches on the update directory and still no IMP 2.2.7 :-( Is anything wrong with the patch or is there any other reason not to supply a patch to a security problem? While I'm at it: the recommended kernel for Suse EMail Server II still seems to be 2.2.16. Version 2.2.19 never seems to have made it to the update directory. Any reason? Keep up the (otherwise) good work, Martin -------- Original-Nachricht -------- Betreff: [Fwd: IMP 2.2.7 (SECURITY) released] Datum: Fri, 16 Nov 2001 09:02:40 +0100 Von: Martin Sckopke <m.sckopke@gis-systemhaus.de> Firma: GiS An: suse-security@suse.com I found the following message on Bugtraq. Is suse working on a fix for Suse EMail-Server II? The patch on the update-server is still 2.2.6. Martin "Brent J. Nordquist" wrote:

The Horde team announces the availability of IMP 2.2.7, which fixes a potential session hijacking vulnerability using a cross-site scripting (CSS) attack. We recommend that all sites running IMP 2.2.x upgrade to this version.

The Horde Project would like to thank João Pedro Gonçalves from the Phibernet Information Network <megas@phibernet.org> for discovering this problem and alerting us. From his description:

...

- It's possible to hijack an imp/horde session using a cross-site script attack, quite similar to the one explored by Marc Slemko in his "Microsoft Passport to Trouble" paper.

- After hijacking the cookies, the attacker can use the session and

read

...

the victim's mail.

- All stable imp webmail versions, up to 2.2.6 including are vulnerable, the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by this vulnerability.

This release also has a new Chinese (Simplified) translation.

-- The three golden rules to ensure computer security are: Do not own a computer; do not power it on; and do not use it (Robert (Bob) T.Morris) GiS - Gesellschaft fuer integrierte Systemplanung mbH Martin Sckopke Tel. +49-6201-503-74 Junkersstr. 2 Fax +49-6201-503-66 D-69469 Weinheim m.sckopke@gis-systemhaus.de