| VID |
21302 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IMP software on the remote Web server, according to its version number, has a Cross-Site Scripting Vulnerability.
Horde IMP (Internet Messaging Program) is a Web-based E-Mail client written in PHP. The version between 2.0 and 3.2.3 of IMP are vulnerable to a Cross-Site Scripting Vulnerability,
caused by improper filtering the Content-type header in E-mail messages. By sending a E-mail message with a specially crafted Content-Type header, a remote attacker cause arbitrary scripting code to be executed within the target user's browser, once viewed by the target user. This vulnerability could be exploited for the session hijacking and the theft of cookie-based authentication credentials.
* Note: This check solely relied on the version number of IMP on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securitytracker.com/alerts/2004/Jun/1010425.html
* Platforms Affected:
The versions between 2.0 and 3.2.3 of Horde IMP
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version (3.2.4 or later) of IMP, available from the Horde download site at http://ftp.horde.org/pub/imp/ |
| Related URL |
CVE-2004-0584 (CVE) |
| Related URL |
10501 (SecurityFocus) |
| Related URL |
16357 (ISS) |
|
