Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web4852.htm

IMP cross-site script attack
12th Nov 2001 [SBWID-4852]



	 IMP 2.2.6 and lower

	 Not vulnerable : 2.2.7, dev versions 2.3 and 3.0


	João Pedro Gonçalves found that it\'s possible to hijack an IMP  webmail
	session using a cross-site script attack,  quite   similar  to  the  one
	explored by Marc Slemko in his \"Microsoft Passport to  Trouble\"  paper

	To exploit this vulnerability using a text message, the  attacker  sends
	an email with a url, where if the user clicks, is redirected to






	which in return redirects the user\'s browser to the attacker\'s  server
	where he hijacks the cookies that the browser used  in  the  context  of
	the webmail site, and the session therefore.


	Upgrade to 2.2.7

	Packages can be found on :



	MD5 checksums:

	2433ed0e67739c41021b1a9397130a96  horde-1.2.7.tar.gz

	b5c683e1dc862fd185c9be0ce7188894  imp-2.2.7.tar.gz

	818199bc9a92cff07d109c4b43a22ffe  patch-horde-1.2.6-1.2.7.gz

	556ddcabc72048ae53f4cfb00680e6f5  patch-imp-2.2.6-2.2.7.gz


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH