Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 53862 - net-www/horde-imp Input Validation Vulnerability
Summary: net-www/horde-imp Input Validation Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-13 23:37 UTC by Lance Albertson (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lance Albertson (RETIRED) gentoo-dev 2004-06-13 23:37:43 UTC
Excerpt from my SANS email:

04.23.34 CVE: Not Available
Platform: Web Application
Title: Horde IMP Input Validation Vulnerability
Description: Horde IMP is a web-based IMAP email interface written in
PHP. Insufficient sanitization of email messages that contain
malicious HTML or script code expose an arbitrary HTML injection and
script execution issue. All current releases in the 3.x branch are
affected.
Ref: http://www.horde.org/imp/3.2/

I don't see anything specific on their site about what exactly causes this (might be in the Changlog when you download it). Version 3.2.4 is in portage, but marked ~arch on all arch's. Bug #53400 was the initial bug for getting it into portage, but no mention of the security fix.
Comment 1 SpanKY gentoo-dev 2004-06-14 04:58:54 UTC
moved 3.2.4 to stable and removed 3.2.3
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-15 11:43:04 UTC
GLSA drafted. Security please review.

Bugtraq announcement can be found here:

http://www.securityfocus.com/bid/10501/

Note: bug number 53862 does not appear in the ChangeLog
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-06-16 06:31:27 UTC
glsa 200406-11