From: Progeny Security Team <security@progeny.com>
To: progeny-security-announce@lists.progeny.com,
progeny-debian@lists.progeny.com, bugtraq@securityfocus.com,
linuxlist@securityportal.com
Subject: PROGENY-SA-2001-28: Three remote exploits in imp
Date: Tue, 14 Aug 2001 16:26:48 -0500 (EST)
Cc: Progeny Security Team <security@progeny.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------------------------------
PROGENY SERVICE NETWORK -- SECURITY ADVISORY PROGENY-SA-2001-28
---------------------------------------------------------------------------
Synopsis: Three remote exploits in imp
Software: imp
History:
2001-05-31 Vulnerability announced
2001-08-14 Update available in Progeny archive
Credits: Giancarlo Pinerolo <giancarlo@navigare.net>,
Nick Cleaton <nick@cleaton.net>
Affects: Progeny Debian (imp prior to 2.2.5-3)
Progeny Only: NO
Vendor-Status: New Version Released
(imp_2.2.5-3)
$Progeny: security/advisory/PROGENY-SA-2001-28,v 1.12 2001/08/14 20:15:34 schultmc Exp $
---------------------------------------------------------------------------
SUMMARY
imp, a web based IMAP mail program, contains multiple remote
vulnerabilities in Progeny versions prior to 2.2.5-3.
imp is not installed by default on Progeny systems.
DETAILED DESCRIPTION
The Horde team (authors of IMP) provided the following information about
the vulnerabilities:
(1) A PHPLIB vulnerability allowed an attacker to provide a value for
the array element $_PHPLIB[libdir], and thus to get scripts from another
server to load and execute. This vulnerability is remotely exploitable.
(Horde 1.2.x ships with its own customized version of PHPLIB, which has
now been patched to prevent this problem.)
(2) By using tricky encodings of "javascript:" an attacker can cause
malicious JavaScript code to execute in the browser of a user reading
email sent by attacker. (IMP 2.2.x already filters many such patterns;
several new ones that were slipping past the filters are now blocked.)
(3) A hostile user that can create a publicly-readable file named
"prefs.lang" somewhere on the Apache/PHP server can cause that file to
be executed as PHP code. The IMP configuration files could thus be
read, the Horde database password used to read and alter the database
used to store contacts and preferences, etc. We do not believe this is
remotely exploitable directly through Apache/PHP/IMP; however, shell
access to the server or other means (e.g., FTP) could be used to create
this file.
SOLUTION (See also: UPDATING VIA APT-GET)
Upgrade to a fixed version of imp. imp version 2.2.5-3
corrects the problem. For your convenience, you may upgrade to the
imp_2.2.5-3 package.
UPDATING VIA APT-GET
1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
update repository:
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
Example:
# apt-get update
3. Using apt(8), install the new package. apt(8) will download the
update, verify its integrity with md5, and then install the
package on your system with dpkg(8).
Example:
# apt-get install imp
UPDATING VIA DPKG
1. Use your preferred FTP/HTTP client to retrieve the following
updated files from Progeny's update archive at:
http://archive.progeny.com/progeny/updates/newton/
MD5 Checksum Filename
-------------------------------- -------------------------------------
44f1dee29771047ce2ec64222fcce619 imp_2.2.5-3.0progeny1_all.deb
7ee9836b3780288820e70a72909d23bb horde_1.2.6-0.potato.1_all.deb
Example:
$ wget \
http://archive.progeny.com/progeny/updates/newton/imp_2.2.5-3.0progeny1_all.deb
2. Use the md5sum(1) command on the retrieved files to verify that
they match the MD5 checksum provided in this advisory:
Example:
$ md5sum imp_2.2.5-3.0progeny1_all.deb
3. Then install the replacement package(s) using dpkg(8).
Example:
# dpkg --install imp_2.2.5-3.0progeny1_all.deb
WORKAROUND
No known workaround exists for this vulnerability.
MORE INFORMATION
More information is available from http://www.securityfocus.com/bid/3079
and ftp://ftp.horde.org/pub/imp/imp-2.2.6-README
Progeny advisories can be found at http://www.progeny.com/security/.
---------------------------------------------------------------------------
pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn
RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS
29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv
eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP
l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8
qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo
zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2
fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/
th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql
WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx
Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7
WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB
VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs
AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN
UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT
duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+
WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b
3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU
n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c
U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh
55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg
PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly
tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b
aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG
gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG
x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2
kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH
wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o
cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM
hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz
kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U
sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E
jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO
S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB
=6dRm
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7eZBbScF9I/ktTR8RAmBTAJ9yvkzrnW8L4kiYy0F/Mok1KhX2MwCdEJ8I
amaihdt2tFqicASo8fPghRg=
=/K88
-----END PGP SIGNATURE-----
_______________________________________________
linux-security mailing list
linux-security@lists.securityportal.com
https://lists.securityportal.com/mailman/listinfo/linux-security
http://www.securityportal.com/list/linux-security/