COMMAND

    IMP

SYSTEMS AFFECTED

    IMP prior to 2.2.6

PROBLEM

    Brent J. Nordquist posted following.  The Horde team announces
    the availability of IMP 2.2.6, which fixes three potential
    security issues.

    (1)  A  PHPLIB  vulnerability  allowed  an  attacker to provide  a
         value for the array element $_PHPLIB[libdir], and thus to get
         scripts from another server to load and execute. Incidentally
         this problem is not  remotely exploitable if you  have turned
         off transparent URL handling in the fopen() function in  PHP.
         (Horde 1.2.x ships with its own customized version of PHPLIB,
         which has now been patched to prevent this problem.)

    (2)  By  using tricky encodings  of "javascript:" an  attacker can
         cause malicious JavaScript code to execute in the browser  of
         a user reading  email sent by  attacker.  (IMP  2.2.x already
         filters  many  such  patterns;  several  new  ones  that were
         slipping past the filters are now blocked.)

    (3)  A hostile user that can create a publicly-readable file named
         "prefs.lang"  somewhere  on  the  Apache/PHP server can cause
         that file to be executed as PHP code.  The IMP  configuration
         files could thus  be read, the  Horde database password  used
         to read  and alter  the database  used to  store contacts and
         preferences,  etc.   We  do  not  believe  this  is  remotely
         exploitable directly  through Apache/PHP/IMP;  however, shell
         access to  the server  or other  means (e.g.,  FTP) could  be
         used to create this file.

    The  Horde  Project  would  like  to  thank Giancarlo Pinerolo for
    reporting problem (1) and Nick Cleaton for reporting problem  (2).
    Problem  (3)  was  discovered  during  an internal audit resulting
    from the "Study  in Scarlet" paper  by Shaun Clowes.   Problem (3)
    was the  only "scarlet"-type  vulnerability discovered  during the
    audit; the code looks very good in this regard.

SOLUTION

    We strongly recommend that all sites running IMP 2.2.x upgrade  to
    this version.  This release  can be downloaded from the  following
    locations:

        ftp://ftp.horde.org/pub/horde/
        ftp://ftp.horde.org/pub/imp/

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/horde-1.2.6-1U41_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/imp-2.2.6-1U41_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-1.2.6-1U41_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-mysql-1.2.6-1U41_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-shm-1.2.6-1U41_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/horde-pgsql-1.2.6-1U41_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/noarch/imp-2.2.6-1U41_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/horde-1.2.6-1U42_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/imp-2.2.6-1U42_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-1.2.6-1U42_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-shm-1.2.6-1U42_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-mysql-1.2.6-1U42_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/horde-pgsql-1.2.6-1U42_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/noarch/imp-2.2.6-1U42_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/horde-1.2.6-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/imp-2.2.6-1U50_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-mysql-1.2.6-1U50_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-1.2.6-1U50_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-shm-1.2.6-1U50_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/horde-pgsql-1.2.6-1U50_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/noarch/imp-2.2.6-1U50_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/horde-1.2.6-1U51_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/imp-2.2.6-1U51_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-pgsql-1.2.6-1U51_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-1.2.6-1U51_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-mysql-1.2.6-1U51_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/horde-shm-1.2.6-1U51_1cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/noarch/imp-2.2.6-1U51_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/imp-2.2.6-1U60_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/horde-1.2.6-1U60_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/horde-mysql-1.2.6-1U60_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/horde-1.2.6-1U60_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/horde-shm-1.2.6-1U60_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imp-2.2.6-1U60_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/horde-pgsql-1.2.6-1U60_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/horde-1.2.6-1U70_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/imp-2.2.6-1U70_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imp-2.2.6-1U70_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-mysql-1.2.6-1U70_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-pgsql-1.2.6-1U70_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-shm-1.2.6-1U70_2cl.noarch.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-1.2.6-1U70_2cl.noarch.rpm

    For Caldera:

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
            RPMS/horde-1.2.6-1.i386.rpm
            RPMS/imp-2.2.6-1.i386.rpm
            SRPMS/horde-1.2.6-1.src.rpm
            SRPMS/imp-2.2.6-1.src.rpm

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/main/source/horde_1.2.6-0.potato.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/horde_1.2.6-0.potato.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/horde_1.2.6.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/source/imp_2.2.6-0.potato.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/imp_2.2.6-0.potato.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/imp_2.2.6.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-all/horde_1.2.6-0.potato.1_all.deb
        http://security.debian.org/dists/stable/updates/main/binary-all/imp_2.2.6-0.potato.1_all.deb