Bug 48485 - Ports mail/imp contains a SQL injection vulnerability,
Summary: Ports mail/imp contains a SQL injection vulnerability,
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-02-20 17:10 UTC by Liu Kang
Modified: 2003-02-24 05:56 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Liu Kang 2003-02-20 17:10:18 UTC
        As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a
SQL injection vulnerability, which can be used by an attacker to execute
SQL statements with the privileges of the Horde database user, by simply
manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025".

Fix: 

I think imp 2.2.x should be marked as forbidden temporarily.
How-To-Repeat: 	n/a
Comment 1 Thierry Thomas 2003-02-20 19:26:28 UTC
Le Jeu 20 fév 03 à 16:00:05 +0100, LiuKang <lazykang@hotmail.com>
 écrivait :
> 
> >Number:         48485
> >Category:       ports
> >Synopsis:       Ports mail/imp contains a SQL injection vulnerability,
         
> >Description:
>         As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a
> SQL injection vulnerability, which can be used by an attacker to execute
> SQL statements with the privileges of the Horde database user, by simply
> manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025". 
> >How-To-Repeat:
> 	n/a
> >Fix:
> 	I think imp 2.2.x should be marked as forbidden temporarily.

Thanks for the notice. This port (with www/horde) should be removed. On
<http://www.horde.org/imp/2.2/news.php> (dated 2003-01-28)
it is written:

The Horde Project has previously announced that IMP 2.2.x is no longer
actively maintained, and that sites still running IMP 2.2 are strongly
urged upgrade to 3.x as soon as possible. It is very unlikely that any
further official releases of the IMP 2.2.x branch will be created.

It is only useful for people using PHP3 and not PHP4...
-- 
Th. Thomas.
Comment 2 Yen-Ming Lee freebsd_committer 2003-02-24 05:56:45 UTC
State Changed
From-To: open->closed

mail/imp was removed, thanks.