http://www.securityfocus.com/bid/28898

Horde Webmail is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.

I hope we see a hotfix for this soon, as a security bug is very important.

More information on this, the condition effects only Horde-Kronolith. Kronolith 2.1.8 resolves the issue.

As a short term workaround you can remove the package with:
rpm -e psa-kronolith

ASL users are unaffected by this vulnerability.

http://www.securityfocus.com/bid/28898

Horde Webmail is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.

I hope we see a hotfix for this soon, as a security bug is very important.

Hello 105547111,

Thank you for the report. It will be fixed as soon as possible.

ASL users are unaffected by this vulnerability.But ASL is detecting this too, how is ASL protecting us from this vulnerability? Will Horde-Kronolith. Kronolith 2.1.8 be in your ART repo soon?

Since horde and mod_security are running through the same instance of apache, the virtual patches used in mod_sec are compensating for the vulnerability in kronolith. We're reporting it, because we are required to as an auditor. Even though there is a compensating security control around it. Eventually we'll get the logic into ASL to make map compensating controls to specific vulnerabilities

I hadn't planned on doing a kronolith update until you just mentioned it now. It might not be a lot of work, I'll have to look into it

I'll have to look into it This would be great, thanks a lot Scott! :)

Hello 105547111,

Thank you for the report. It will be fixed as soon as possible.

10 Days over and nothing happen :( Maybe it come some fixes this may or not?

I hope it gets fixed soon as a known security issue should take preference even over a bug fix as its a known exploit

I have released psa-kronolith version 2.1.8 in the [atomic] archive. This resolves the security vulnerability reported in http://www.securityfocus.com/bid/28898

This update is available for CentOS 3/4/5, Fedora 4/5/6/7/8/9 and RHEL 3/4/5. In order to add the update perform the following:

Step 1) Add the atomic yum repository
wget -q -O - http://www.atomicorp.com/installers/atomic |sh

Step 2) Update psa-kronolith
yum update psa-kronolith

Thanks very much to PixyPumpkin for the motivation on this update.

It will be fixed as soon as possible.

Hello sergius,

Could you tell me please, why parrallels is slower than atomicturtle :)

This is a security issue.. And it is becouse of parallels choices.. And also it must be fixed immediately not "as soon as possible"..

We forget about new pretty features. We only want a stable control panel from parallels for our customers. And these customers are ours. Not parallels's! We sell them hosting plans, not VPS packages nor control panel software.. When will parrallels stop spamming to our customers? When will parallels publish a stable version? When will parallels start to fix bugs immediatelly?

Thankyou Scott your effort is greatly appreciated!

I have released psa-kronolith version 2.1.8 in the [atomic] archive. This resolves the security vulnerability reported in http://www.securityfocus.com/bid/28898

This update is available for CentOS 3/4/5, Fedora 4/5/6/7/8/9 and RHEL 3/4/5. In order to add the update perform the following:

Step 1) Add the atomic yum repository
wget -q -O - http://www.atomicorp.com/installers/atomic |sh

Step 2) Update psa-kronolith
yum update psa-kronolith

Thanks very much to PixyPumpkin for the motivation on this update.


I use PSA 8.3, should i upgrade psa-kronolith? It is shown to be updated, but in my componenty in the CP psa-kronolith is not shown!?

Thanks very much to PixyPumpkin for the motivation on this update.My pleasure, thank you for the quick response and for making the update :)

Yes the psa-kronolith update will work on PSA 8.3 as well. Horde on 8.3 also suffers from these additional security vulnerabilities:

Horde Turba Vulnerability CVE-2008-0807
Horde Vulnerability SA28382
Horde Turba Vulnerability SA28382
Horde Mnemo Vulnerability SA28382
Horde Kronolith Vulnerability SA28382
Horde Vulnerability CVE-2007-6018
Horde Vulnerability CVE-2008-1284

All of these are corrected by the versions of these packages included in 8.4. So you should be able to use the newer horde packages from 8.4 on 8.3.

Gentlemen,

The issue is fixed and will be delivered w/ Plesk 8.4.1 which is expected in the end of June.

I believe you mean PSA 8.4.0.1

I believe you mean PSA 8.4.0.1

No, I mean Plesk 8.4.1.

Well good news then, since all of the above vulnerabilities were resolved as of 8.4.0.1

Well good news then, since all of the above vulnerabilities were resolved as of 8.4.0.1

Seems I should clarify more clear - Plesk 8.4.1 will provide Horde Kronolith 2.1.8 via Autoupdater.

10 Days over and nothing happen :( Maybe it come some fixes this may or not?

Gentlemen,

The issue is fixed and will be delivered w/ Plesk 8.4.1 which is expected in the end of June.

I really find it amazing and quite perplexing what takes Parallels so long to push out even the most critical security updates. cPanel pushes out updated in hours when it's necessary.

Plesk 8.4.0.1 is long time out! http://forum.swsoft.com/showthread.php?t=53006

Plesk 8.4.0.1 is long time out! http://forum.swsoft.com/showthread.php?t=53006

Yep, it was released w/ 8.4.0.1 that is hotfix and it is not available for 8.4.0, for instance.
8.4.1 is major update for previous versions. Is it clear?

Gentlemen,

The next Plesk release is delayed for the end of July.
Sorry for the inconvenience.