Secunia Security Advisory - A vulnerability has been reported in Horde IMP and Horde Groupware Webmail Edition, which can be exploited by malicious users to conduct spoofing attacks.
5134bbb4aa279d2ed3d3b858d36869237b618c6735e6ff5dc4f4c74488d506c3
----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Horde IMP / Groupware Webmail PGP Key Caching Vulnerability
SECUNIA ADVISORY ID:
SA34796
VERIFY ADVISORY:
http://secunia.com/advisories/34796/
DESCRIPTION:
A vulnerability has been reported in Horde IMP and Horde Groupware
Webmail Edition, which can be exploited by malicious users to conduct
spoofing attacks.
The vulnerability is caused due to the application caching PGP keys
from local address books. This can be exploited to insert manipulated
public PGP keys to the cache, which can result e.g. in incorrectly
signed incoming messages being displayed as valid.
Successful exploitation requires a valid user account and that
caching and PGP support is enabled.
The vulnerability is reported in Horde Groupware Webmail Edition 1.1
through 1.2.2 and Horde IMP prior to version 4.3.4.
SOLUTION:
Fixed in Webmail Edition 1.2.3-RC1 and IMP 4.3.4.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Peter Meier.
ORIGINAL ADVISORY:
http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.35.2.1&r2=1.35.2.2&ty=h
http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.376&r2=1.699.2.389&ty=h
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------