Security updates for Horde web framework
In addition, security services provider iDefense has reported that version 3.1.4 of the Horde framework, released on 14th March, fixed a bug which could have been used by an attacker to damage an installation by deleting files. The cause of the problem was a bug in the clean-up script which used a parameter incorrectly. A successful attack required, however, access to the system.
- IMP H3 (4.1.4) (final), announcement on horde.org
- Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues, bug report by Moritz Naumann
- Horde Project Cleanup Script Arbitrary File Deletion Vulnerability, security advisory from iDefense