From thierry@thomas.as  Fri Nov  9 16:57:44 2001
Return-Path: <thierry@thomas.as>
Received: from postfix2-1.free.fr (postfix2-1.free.fr [213.228.0.9])
	by hub.freebsd.org (Postfix) with ESMTP
	id 30E5337B405; Fri,  9 Nov 2001 16:57:44 -0800 (PST)
Received: from graf.pompo.net (unknown [213.228.34.166])
	by postfix2-1.free.fr (Postfix) with ESMTP
	id 2E053127; Sat, 10 Nov 2001 01:57:37 +0100 (CET)
Received: by graf.pompo.net (Postfix, from userid 1001)
	id 1F72C751E; Sat, 10 Nov 2001 01:55:54 +0100 (CET)
Message-Id: <20011110005554.1F72C751E@graf.pompo.net>
Date: Sat, 10 Nov 2001 01:55:54 +0100 (CET)
From: Thierry Thomas <thierry@thomas.as>
Reply-To: Thierry Thomas <thierry@thomas.as>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Kris Kennaway <kris@FreeBSD.org>
Subject: Port mail/imp: security-update - webmail session hijacking vulnerability
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         31889
>Category:       ports
>Synopsis:       Port mail/imp: security-update - webmail session hijacking vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 09 17:00:02 PST 2001
>Closed-Date:    Tue Nov 13 16:45:02 PST 2001
>Last-Modified:  Tue Nov 13 16:45:19 PST 2001
>Originator:     Thierry Thomas
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Kabbale Eros
>Environment:
System: FreeBSD graf.pompo.net 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Sep 22 10:41:40 CEST 2001 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386


	
>Description:
	- It's possible to hijack an imp/horde session using a cross-site script
 attack, quite similar to the one explored by Marc Slemko in his
 "Microsoft Passport to Trouble" paper.

	- After hijacking the cookies, the attacker can use the session and read
 the victim's mail.
	[Original mail from Joao Pedro Goncalves <megas@phibernet.org>
	- see CERT advisory on cross-site scripting
	http://www.cert.org/advisories/CA-2000-02.html ]
>How-To-Repeat:
	Don't try to repeat it ;-)
>Fix:

	The following patch has been issued by the Horde team:

diff -urN imp.orig/Makefile imp/Makefile
--- imp.orig/Makefile	Sat Oct 13 23:48:59 2001
+++ imp/Makefile	Sat Nov 10 01:37:34 2001
@@ -8,7 +8,7 @@
 
 PORTNAME=	imp
 PORTVERSION=	2.2.6
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	mail www
 MASTER_SITES=	ftp://ftp.horde.org/pub/imp/tarballs/
 
diff -urN imp.orig/files/patch-aa imp/files/patch-aa
--- imp.orig/files/patch-aa	Thu Jan  1 01:00:00 1970
+++ imp/files/patch-aa	Sat Nov 10 01:31:29 2001
@@ -0,0 +1,23 @@
+--- status.php3.orig	Mon Nov 13 22:35:30 2000
++++ status.php3	Sat Nov 10 01:26:38 2001
+@@ -4,9 +4,9 @@
+  
+  File: status.php3
+  $Author: chuck $
+- $Revision: 2.7.2.22 $
+- $Date: 2000/11/13 21:35:30 $
+- 
++ $Revision: 2.7.2.23 $
++ $Date: 2001/11/09 16:47:06 $
++
+  IMP: Copyright 1998, 1999, 2000 by Charles J. Hagenbuch <chuck@horde.org>
+  
+  You should have received a copy of the GNU Public
+@@ -45,6 +45,7 @@
+ page_close();
+ if (isset($imp)) $imp->unpickle();
+ $title = $lang->status_title;
++$message = htmlspecialchars($message);
+ 
+ /* doctype */
+ require "$default->include_dir/doctype.inc";
>Release-Note:
>Audit-Trail:

From: Thierry Thomas <thierry@thomas.as>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc:  
Subject: Re: ports/31889: Port mail/imp: security-update - webmail session hijacking vulnerability
Date: Sat, 10 Nov 2001 22:47:17 +0100

 Le 10 Nov 01   1:55:54 +0000, Thierry Thomas crivait:
 > 
 > >Number:         31889
 > >Category:       ports
 > >Synopsis:       Port mail/imp: security-update - webmail session hijacking vulnerability
 
 This port may be closed: it has been superseded by PR ports/31904.
 -- 
 Th. Thomas.
State-Changed-From-To: open->closed 
State-Changed-By: ijliao 
State-Changed-When: Tue Nov 13 16:45:02 PST 2001 
State-Changed-Why:  
superceded by pr/31904 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31889 
>Unformatted:
