store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Jul 30, 2014 12:58 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Horde security risk in
Unread postPosted: Mon Apr 04, 2011 3:01 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 851
Location: Germany
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration. This affects Horde/IMP in Plesk up to version 10.0.1. Plesk 10.1.1 contains Horde/IMP 4.3.9 and should not be affected.
SOURCE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695

SOLUTION:
http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11


Top
 Profile  
 
 Post subject: Re: Horde security risk in
Unread postPosted: Mon Apr 04, 2011 3:13 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Good news, ASL users and Atomicorp/gotroot modsecurity rules users are already immune to this. :-)

As an aside, we've had rules for years that protect against this, so in general this class of vulnerabilities is something you do not need to worry about if you are using ASL, or even just our modsecurity rules. We were also the first ones to have XSS rules out for modsecurity.

So sleep well tonight! :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Horde security risk in
Unread postPosted: Mon Apr 04, 2011 4:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 851
Location: Germany
Thanks :) I will sleep well...ASL is like a warm plaid in the cold and dangerous wilderness :mrgreen:
I never know if it's useful to post stuff like that. But better one time to much than missing a vulnerability.


Top
 Profile  
 
 Post subject: Re: Horde security risk in
Unread postPosted: Mon Apr 04, 2011 5:24 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Agreed. Always err on the side of caution I say, so if you dont know for sure, please post. And horde does have a vulnerability, it just so happens that if you are running ASL and you didnt disable the cross site protection rules (340147, 340148 and 340149 in particular) then you are safe.

So thank you for posting, just in case someone has disabled those rules, you'll want to either re-enable them or patch horde.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group