Horde IMP Session Hijacking Vulnerability

IMP is a powerful web-based mail interface/client developed by members of the Horde project.

Encoded HTML tags are not stripped from requests to access 'status.php3'. It is possible for a remote attacker to construct a link which when clicked will cause arbitrary script code to be executed in the browser of an unsuspecting user in the context of a site running Horde IMP.

As a result, it has been proven that this issue can be exploited to steal a legitimate user's cookie-based authentication credentials and gain unauthorized access to that user's webmail account.


Privacy Statement
Copyright 2010, SecurityFocus