Security Update for HORDE / IMP eMail Server II

Support knowledgebase (tsieden_imp-security)
Applies to

SuSE Email Server: Version II

Request:

In varios sources, (e.g. The Horde Project) you have read about a security update available for the web frontend IMP and now you want to apply this patch to your installed SuSE eMail Server II.

Background Information:

The following security problems will be fixed with this update:
  1. A PHPLIB vulnerability allowed an attacker to provide a value for the array element $_PHPLIB[libdir], and thus to get scripts from another server to load and execute.
  2. By using tricky encodings of "javascript:" an attacker can cause malicious JavaScript code to execute in the browser of a user reading email sent by attacker.
  3. A hostile user that can create a publicly readable file named "prefs.lang" somewhere on the Apache/PHP server can cause that file to be executed as PHP code. The IMP configuration files could thus be read, the Horde database password used to read and alter the database used to store contacts and preferences, etc.
You can find a detailed description of this security issue on Horde Project Website

Procedure:

On our ftp Server you will find the appropriate version of this update for the SuSE eMail Server II.

Please download the following files:
ftp://ftp.suse.com/pub/suse/i386/products/emailserver/2.0/horde-1.2.7-0.i386.rpm

and:
ftp://ftp.suse.com/pub/suse/i386/products/emailserver/2.0/imp-2.2.7-0.i386.rpm

from our ftp Server, and install them with the following command lines:

rpm -Uhv /pfad/zum/heruntergeladenen/horde-1.2.7-0.i386.rpm
rpm -Uhv /pfad/zum/heruntergeladenen/imp-2.2.7-0.i386.rpm
on your SuSE eMail Server II (If there are any warnings please ignore them.). The patch is immediately active after the installation.
Keywords: IMAP, EMAILSERVER, MAIL, IMP, HORDE, SECURITY

Categories: SuSE Linux IMAP Server

SDB-tsieden_imp-security, Copyright SuSE Linux AG, Nürnberg, Germany - Version: 07. Aug 2001
SuSE Linux AG - Last generated: 11. Feb 2002 by tsieden (sdb_gen 1.40.0)