SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Horde Internet Messaging Program (IMP) Vendors:   Horde Project
(Caldera Issues Fix) Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
SecurityTracker Alert ID:  1002843
SecurityTracker URL:  http://securitytracker.com/id/1002843
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 28 2001
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All stable versions up through 2.2.6
Description:   A cross-site scripting vulnerability has been reported in the Horde Project Internet Messaging Program (IMP). A remote user can potentially hijack an IMP session.

It is reported that a remote user can create a malicious HTML-based e-mail message such that, when the message is viewed, arbitrary code is executed by the target user's browser. The code will appear to originate from the mail server and will be able to access the user's web mail cookies and forward those cookies to another location.

After obtaining the cookies, the remote user can then hijack the session and read the target user's email.

It is reported that the development version 2.3 and 3.0 Release Candidate 1 are not affected by this vulnerability.

The vendor has reportedly been notified.

A demonstration exploit URL is provided in the Source Message.

Impact:   A remote user can hijack another user's email session.
Solution:   The vendor has released a fix for OpenLinux 3.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

The verification checksums are:

53a9d75c760851f79fa72cb451416f96 RPMS/horde-1.2.7-1.i386.rpm
4bb1af4dcd98af6f168543476f691b95 RPMS/imp-2.2.7-1.i386.rpm
d81a0095d83a4f9a7751c923f6afaf71 SRPMS/horde-1.2.7-1.src.rpm
a1eeaf8781edc12f8c90386cd289e0a6 SRPMS/imp-2.2.7-1.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh horde-1.2.7-1.i386.rpm imp-2.2.7-1.i386.rpm

Caldera has provided the following update notes:

If horde was activated in the apache module "/etc/httpd/modules/mod_php4_horde.conf" you will have to reconfigure it by changing "deny from all" to "allow from all".

Do not run "/usr/lib(exec)/horde/horde.setup" if you already have started the script before the update. If you run the script again, all passwords will be changed back to the default value and you ill have to change them manually in "/home/httpd/html/horde/imp/config/defaults.php3" and "/home/httpd/phplib/local.inc"

Vendor URL:  www.horde.org/imp/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux Server 3.1, All packages previous to horde-1.2.7-1 and imp-2.2.7-1

Message History:   This archive entry is a follow-up to the message listed below.
Nov 9 2001 Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions



 Source Message Contents

Subject:  Security Update: [CSSA-2001-039.0] Linux - IMP/HORDE cross site scripting vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.	Security Advisory

Subject:		Linux - IMP/HORDE cross site scripting vulnerability
Advisory number: 	CSSA-2001-039.0
Issue date: 		2001, November 22
Cross reference:
______________________________________________________________________________


1. Problem Description

   The webmail frontend IMP has a cross site scripting problem, allowing
   a remote attacker to send you an E-mail with a malformed URL that when
   clicked on will open your mail session to the attacker, allowing him
   to read and delete your E-mails.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable

   OpenLinux eServer 2.3.1       not vulnerable
   and OpenLinux eBuilder

   OpenLinux eDesktop 2.4        not vulnerable

   OpenLinux Server 3.1          All packages previous to
                                 horde-1.2.7-1
  				 imp-2.2.7-1
				
   OpenLinux Workstation 3.1     not vulnerable



3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    not vulnerable

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       53a9d75c760851f79fa72cb451416f96  RPMS/horde-1.2.7-1.i386.rpm
       4bb1af4dcd98af6f168543476f691b95  RPMS/imp-2.2.7-1.i386.rpm
       d81a0095d83a4f9a7751c923f6afaf71  SRPMS/horde-1.2.7-1.src.rpm
       a1eeaf8781edc12f8c90386cd289e0a6  SRPMS/imp-2.2.7-1.src.rpm


   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh horde-1.2.7-1.i386.rpm imp-2.2.7-1.i386.rpm

       Update notes:

       If horde was activated in the apache module
       "/etc/httpd/modules/mod_php4_horde.conf" you will have to
       reconfigure it by changing "deny from all" to "allow from all".

       Do not run "/usr/lib(exec)/horde/horde.setup" if you already have
       started the script before the update. If you run the script again,
       all passwords will be changed back to the default value and you
       will have to change them manually in
       "/home/httpd/html/horde/imp/config/defaults.php3" and
       "/home/httpd/phplib/local.inc"


8. OpenLinux 3.1 Workstation

    not vulnerable


9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10931.


10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

   Caldera International wishes to thank Joao Pedro Goncalves for reporting
   this problem, and the Horde Project for promptly fixing it.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7/NON18sy83A/qfwRAqa4AKCBDdj12RqfHCjn4hnZlMnUvK5TxwCgwba1
phhM9K8dnQ75bC8XqMbcduo=
=dpFU
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC