Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 53862

Summary: net-www/horde-imp Input Validation Vulnerability
Product: Gentoo Security Reporter: Lance Albertson (RETIRED) <ramereth>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Lance Albertson (RETIRED) gentoo-dev 2004-06-13 23:37:43 UTC
Excerpt from my SANS email:

04.23.34 CVE: Not Available
Platform: Web Application
Title: Horde IMP Input Validation Vulnerability
Description: Horde IMP is a web-based IMAP email interface written in
PHP. Insufficient sanitization of email messages that contain
malicious HTML or script code expose an arbitrary HTML injection and
script execution issue. All current releases in the 3.x branch are

I don't see anything specific on their site about what exactly causes this (might be in the Changlog when you download it). Version 3.2.4 is in portage, but marked ~arch on all arch's. Bug #53400 was the initial bug for getting it into portage, but no mention of the security fix.
Comment 1 SpanKY gentoo-dev 2004-06-14 04:58:54 UTC
moved 3.2.4 to stable and removed 3.2.3
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-15 11:43:04 UTC
GLSA drafted. Security please review.

Bugtraq announcement can be found here:

Note: bug number 53862 does not appear in the ChangeLog
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-06-16 06:31:27 UTC
glsa 200406-11