Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba and IMP, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session. http://packetstormsecurity.org/0809-exploits/turba-xss.txt http://www.securityfocus.com/bid/31168 http://xforce.iss.net/xforce/xfdb/45131 The patches can be found here: http://cvs.horde.org/diff.php/imp/test.php?r1=1.70&r2=1.71 http://cvs.horde.org/diff.php/turba/test.php?r1=1.22&r2=1.23
Thanks Josh, I'll take a look and hopefully push a fix tonight.
(In reply to comment #2) > Thanks Josh, I'll take a look and hopefully push a fix tonight. Hmm, I didn't get the fix in today, on a side note, it seems that out of the bax, the latest releases also have this bug, (IMP 4.3 and Turba 2.3), whats the accepted way of pushing this info upwards?
IMP part should be fixed in 4.2.1: http://lists.horde.org/archives/announce/2008/000460.html TURBA part should be fixed in 2.2.2: http://lists.horde.org/archives/announce/2008/000461.html
imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/imp-4.3.6-1.fc11
imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 434358 [details] IMP fix Adding patch here for posterity, as upstream site does not longer provide web interface for browsing CVS repository, only new GIT repository is available.
Created attachment 434359 [details] Turba fix
turba-2.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
turba-2.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.