Security updates for Horde web framework
The developers of the PHP-based Horde Application Framework, a collection of tools and functions for generating web applications, have released versions 4.1.4 of their IMP webmail client, in which two cross-site scripting vulnerabilities are fixed. It had been possible to insert JavaScript into a subject header or the edit query parameter, which would then be executed in the user's browser.
In addition, security services provider iDefense has reported that version 3.1.4 of the Horde framework, released on 14th March, fixed a bug which could have been used by an attacker to damage an installation by deleting files. The cause of the problem was a bug in the clean-up script which used a parameter incorrectly. A successful attack required, however, access to the system.
- IMP H3 (4.1.4) (final), announcement on horde.org
- Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues, bug report by Moritz Naumann
- Horde Project Cleanup Script Arbitrary File Deletion Vulnerability, security advisory from iDefense
(ehe)