IMP 3.2.5 released
Today version 3.2.5 of the IMP webmail client was released containing a security fix and a few cosmetic fixes.
The full release announcement of version 3.2.5 of IMP, one of the most popular webmail clients available, can be found here.Out of the fixes I want to pick the two most important ones:
- An XSS vulnerability has been fixed in the MIME viewer for HTML messages.
IMP uses the MIME viewer system of the Horde Framework to render all kind of text formats and attachments. The HTML viewer is reponsible for displaying HTML content, for example emails sent in the HTML format.
This viewer is a very sensitive piece of code, because HTML allows active content like all kind of scripts that can be used by an attacker to get sensitive information from the user that views this content, if we would expose this HTML code unfiltered. Such an attack is called cross site scripting, or short XSS, and can be triggered by opening a HTML email for example. Thus we take all kind of measures to filter out such malicious code but it's hard to keep pace of those many ways to obscure such code or new discovered bugs in browsers allowing to execute these scripts.
On March the 6th, GreyMagic Software disclosed such a vulnerability of Hotmail's and Yahoo's webmail clients. Their exploit only works with the Internet Explorer and uses its HTML+TIME (Microsoft's implementation of SMIL) capabilities to execute scripts not being catched by their HTML filters.
Of course we immediately checked if IMP was vulnerable too, and it was not.
On July the 14th, Martijn Brinkers informed us that IMP was affected by a variation of this exploit through obfuscating this code even more. A fix was quickly found and we extended the filter rules of the HTML MIME viewer to catch this new trick too. Many thanks to Martijn for acting responsible by letting us know about this flaw and giving us time to make a new release. - A cosmetic fix to the HTML MIME viewer removes CSS code from HTML messages
In the MIME viewer for HTML code that was described above, we also filter out any