=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN446
_____________________________________________________________________

DATE                      : 18/08/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running IMP Webmail Client version
                                              prior to 4.0.5 and 4.1.3.

======================================================================
http://lists.horde.org/archives/announce/2006/000293.html
http://lists.horde.org/archives/announce/2006/000294.html

----------------------------------------------------------------------

The Horde Team is pleased to announce the final release of the IMP Webmail
Client version H3 (4.0.5).

This is a security release that fixes a cross site scripting vulnerability
with not properly escaped folder names.

Many thanks to Marc Ruef for reporting this problem.

IMP, the Internet Messaging Program, is one of the most popular webmail
applications available.  It allows universal, web-based access to IMAP and
POP3 mail servers and provides a full range of features normally found only in
desktop email clients.

Major changes compared to the IMP version H3 (4.0.4) are:
     * Fixed escaping of folder names.
     * Fixed French translation.

The full list of changes (from version H3 (4.0.4)) can be viewed here:

http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.115&r2=1.699.2.116.2.2&ty=h

The IMP H3 (4.0.5) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/imp/imp-h3-4.0.5.tar.gz
     http://ftp.horde.org/pub/imp/imp-h3-4.0.5.tar.gz

Patches against version H3 (4.0.4) are available at:

     ftp://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.0.4-h3-4.0.5.gz
     http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.0.4-h3-4.0.5.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     MD5 (imp-h3-4.0.5.tar.gz) = 1273c0f24a234850ca4a6b6153316fec
     MD5 (patch-imp-h3-4.0.4-h3-4.0.5.gz) = fe9b5012785dce6e20c75be11985f74e

Have fun!

The Horde Team.

--------------------------------------------------------------------------

The Horde Team is pleased to announce the final release of the IMP Webmail
Client version H3 (4.1.3).

This is a bugfix release that also fixes a cross site scripting vulnerability
with not properly escaped folder names.

Many thanks to Marc Ruef for reporting this problem.

IMP, the Internet Messaging Program, is one of the most popular webmail
applications available.  It allows universal, web-based access to IMAP and
POP3 mail servers and provides a full range of features normally found only in
desktop email clients.

Major changes compared to the IMP H3 (4.1.2) version are:
     * Added server configuration option to limit numer of login tries.
     * Added link to view attached S/MIME key details.
     * Fixed escaping of folder names.
     * Updated Catalan, German and Slovenian translations.
     * Several small bugfixes and improvements.

The full list of changes (from version H3 (4.1.2)) can be viewed here:

http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.194&r2=1.699.2.206&ty=h

The IMP H3 (4.1.3) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/imp/imp-h3-4.1.3.tar.gz
     http://ftp.horde.org/pub/imp/imp-h3-4.1.3.tar.gz

Patches against version H3 (4.1.2) are available at:

     ftp://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.1.2-h3-4.1.3.gz
     http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.1.2-h3-4.1.3.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     MD5 (imp-h3-4.1.3.tar.gz) = 91fb63a44805bdff178c39c9bd1c73c5
     MD5 (patch-imp-h3-4.1.2-h3-4.1.3.gz) = 2d2960851b06909c8e2fbe3320a8e572

Have fun!

The Horde Team.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================