[Fwd: IMP 2.2.7 (SECURITY) released]

16 Nov 2001

      I found the following message on Bugtraq.
Is suse working on a fix for Suse EMail-Server II?
The patch on the update-server is still 2.2.6.

	Martin

"Brent J. Nordquist" wrote:
...
The Horde team announces the availability of IMP 2.2.7, which fixes a
potential session hijacking vulnerability using a cross-site scripting
(CSS) attack.  We recommend that all sites running IMP 2.2.x upgrade to
this version.
The Horde Project would like to thank João Pedro Gonçalves from the
Phibernet Information Network  for discovering this
problem and alerting us.  From his description:
...
- It's possible to hijack an imp/horde session using a cross-site
script attack, quite similar to the one explored by Marc Slemko in his
"Microsoft Passport to Trouble" paper.
- After hijacking the cookies, the attacker can use the session and read
the victim's mail.
- All stable imp webmail versions, up to 2.2.6 including are vulnerable,
the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
this vulnerability.
This release also has a new Chinese (Simplified) translation.
-- 
The three golden rules to ensure computer security are:
Do not own a computer; do not power it on; and do not use it
                                     (Robert (Bob) T.Morris)

GiS - Gesellschaft fuer integrierte Systemplanung mbH
Martin Sckopke                   Tel. +49-6201-503-74
Junkersstr. 2                    Fax  +49-6201-503-66
D-69469 Weinheim          m.sckopke@gis-systemhaus.de