Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba and
IMP, allows remote attackers to inject arbitrary web script or HTML via the
User field in an IMAP session.
The patches can be found here:
Thanks Josh, I'll take a look and hopefully push a fix tonight.
(In reply to comment #2)
> Thanks Josh, I'll take a look and hopefully push a fix tonight.
Hmm, I didn't get the fix in today, on a side note, it seems that out of the bax, the latest releases also have this bug, (IMP 4.3 and Turba 2.3), whats the accepted way of pushing this info upwards?
IMP part should be fixed in 4.2.1:
TURBA part should be fixed in 2.2.2:
imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11.
imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 434358 [details]
Adding patch here for posterity, as upstream site does not longer provide web interface for browsing CVS repository, only new GIT repository is available.
Created attachment 434359 [details]
turba-2.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
turba-2.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.