[UNIX] Remote Vulnerability in Horde MTA
From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/03
- Previous message: SecuriTeam: "[NT] Microsoft URLScan Configuration Can be Enumerated when Implemented in Conjunction with RSA SecurID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Aug 2003 14:13:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Remote Vulnerability in Horde MTA
------------------------------------------------------------------------
SUMMARY
<http://www.horde.org> Horde is "both a piece of software and a project.
The Horde Project comprises a set of Web-based productivity, messaging,
and project-management applications, each of which is described below. The
Horde Framework is a common code-base used by Horde applications,
including libraries and a common user interface. The Horde Framework
doesn't do anything on its own; as a user, you will always be interacting
with a Horde-based application".
<http://www.horde.org/imp/> IMP is "the Internet Messaging Program
(formerly, among other things, the IMAP web mail Program), a web mail
system and a component of the Horde project. IMP is the most widely
deployed component of Horde. IMP offers most of the features users have
come to expect from their conventional mail programs, including
attachments, spell-check, address books, multiple folders, and
multiple-language support".
An attacker could send an email to the victim using Horde MTA and cause
him to unwillingly reveal his Horde session id
DETAILS
Vulnerable Systems:
* Horder MTA versions prior to 2.2.4
Immune Systems:
* Horder MTA version 2.24
Example:
http://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C879B290D12630&INDEX=XXX
As you can see by above example, the session can be grabbed by very simple
Referer monitoring, since the session becomes obsolete after approximately
20 minutes an attacker has a lot of time to hijack the Horder account.
Vendor Status:
The vulnerability has been fixed in version 2.2.4, see:
<http://lists.horde.org/archives/announce/2003/000051.html>
http://lists.horde.org/archives/announce/2003/000051.html.
ADDITIONAL INFORMATION
The information has been provided by <mailto:puccio@pucciolab.org>
Vincenzo 'puccio' Ciaglia
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Microsoft URLScan Configuration Can be Enumerated when Implemented in Conjunction with RSA SecurID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
