---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Horde IMP / Groupware Webmail PGP Key Caching Vulnerability SECUNIA ADVISORY ID: SA34796 VERIFY ADVISORY: http://secunia.com/advisories/34796/ DESCRIPTION: A vulnerability has been reported in Horde IMP and Horde Groupware Webmail Edition, which can be exploited by malicious users to conduct spoofing attacks. The vulnerability is caused due to the application caching PGP keys from local address books. This can be exploited to insert manipulated public PGP keys to the cache, which can result e.g. in incorrectly signed incoming messages being displayed as valid. Successful exploitation requires a valid user account and that caching and PGP support is enabled. The vulnerability is reported in Horde Groupware Webmail Edition 1.1 through 1.2.2 and Horde IMP prior to version 4.3.4. SOLUTION: Fixed in Webmail Edition 1.2.3-RC1 and IMP 4.3.4. PROVIDED AND/OR DISCOVERED BY: The vendor credits Peter Meier. ORIGINAL ADVISORY: http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.35.2.1&r2=1.35.2.2&ty=h http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.376&r2=1.699.2.389&ty=h ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------