Bug 48485
| Summary: | Ports mail/imp contains a SQL injection vulnerability, | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Liu Kang <lazykang> |
| Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Liu Kang
2003-02-20 17:10:18 UTC
Le Jeu 20 fév 03 à 16:00:05 +0100, LiuKang <lazykang@hotmail.com> écrivait : > > >Number: 48485 > >Category: ports > >Synopsis: Ports mail/imp contains a SQL injection vulnerability, > >Description: > As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a > SQL injection vulnerability, which can be used by an attacker to execute > SQL statements with the privileges of the Horde database user, by simply > manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025". > >How-To-Repeat: > n/a > >Fix: > I think imp 2.2.x should be marked as forbidden temporarily. Thanks for the notice. This port (with www/horde) should be removed. On <http://www.horde.org/imp/2.2/news.php> (dated 2003-01-28) it is written: The Horde Project has previously announced that IMP 2.2.x is no longer actively maintained, and that sites still running IMP 2.2 are strongly urged upgrade to 3.x as soon as possible. It is very unlikely that any further official releases of the IMP 2.2.x branch will be created. It is only useful for people using PHP3 and not PHP4... -- Th. Thomas. State Changed From-To: open->closed mail/imp was removed, thanks. |
