Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 335874 (CVE-2010-1638)

Summary: www-apps/horde-imp: firewall bypass (CVE-2010-1638)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: a3li, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:00:16 UTC 
CVE-2010-1638 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1638):
  The IMP plugin in Horde allows remote attackers to bypass firewall
  restrictions and use Horde as a proxy to scan internal networks via a
  crafted request to an unspecified test script.  NOTE: this is only a
  vulnerability when the administrator does not follow recommendations
  in the product's installation documentation.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-29 18:36:05 UTC 
Horde ebuilds now show an ewarn to consult the SECURITY guide before providing Horde in a production environment. That's all we can do.

Closing noglsa.