Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 205377
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Lars Hartmann <lars@chaotika.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 205377 depends on: Show dependency tree
Bug 205377 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-01-12 00:05 0000 
Secunia Research has discovered a vulnerability in IMP Webmail Client
and Horde Groupware Webmail Edition, which can be exploited by
malicious people to bypass certain security restrictions and
manipulate data.

The HTML filter does not filter out <frame> and <frameset> HTML
elements. Additionally, the application allows users to perform
certain actions via HTTP requests without performing any validity
checks to verify the request. This can be exploited to (a) delete an
arbitrary number of e-mail messages by referencing their numeric IDs
and (b) purge deleted mails, when the victim opens a malicious HTML
mail.

Successful exploitation requires that the victim opens the HTML part
of a malicious message.

Solution:
Update to Horde 3.1.6 or Horde Groupware Webmail Edition 1.0.4.

------- Comment #1 From Lars Hartmann 2008-01-12 00:07:17 0000 ------- 
maintainers - please advise

------- Comment #2 From Robert Buchholz 2008-01-12 01:17:02 0000 ------- 
*** Bug 203098 has been marked as a duplicate of this bug. ***

------- Comment #3 From SpanKY 2008-01-12 05:30:53 0000 ------- 
all horde packages should be bumped now

------- Comment #4 From Pierre-Yves Rofes 2008-01-13 11:14:32 0000 ------- 
Thanks Mike. horde-webmail is ok because of ~arch. Arches, please test and mark
stable www-apps/horde-imp-4.1.6. Target "alpha amd64 hppa ppc sparc x86"

------- Comment #5 From Markus Meier 2008-01-13 22:42:56 0000 ------- 
x86 stable

------- Comment #6 From Jeroen Roovers 2008-01-15 14:36:43 0000 ------- 
Stable for HPPA.

------- Comment #7 From Raúl Porcel 2008-01-16 12:15:39 0000 ------- 
alpha/sparc stable

------- Comment #8 From Tobias Scherbaum 2008-01-18 20:27:13 0000 ------- 
ppc stable

------- Comment #9 From Steve Dibb 2008-01-23 16:10:01 0000 ------- 
amd64 stable

------- Comment #10 From Pierre-Yves Rofes 2008-02-11 22:41:08 0000 ------- 
GLSA 200802-03
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug