Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 3 Apr 2010 15:55:22 +0200
From: Nico Golde <>
Subject: CVE-2010-0463 incomplete horde fixes

from the CVE id description:
| Horde IMP 4.3.6 and earlier does not request that the web browser
| avoid DNS prefetching of domain names contained in e-mail messages,
| which makes it easier for remote attackers to determine the network
| location of the webmail user by logging DNS requests.

In order to fix this horde upstream added:
// Build filter stack. Starts with HTML markup and tab expansion.
$filters = array(
    'text2html' => array(
        'charset' => Horde_Nls::getCharset(),
        // See Ticket #8836
        'noprefetch' => ($GLOBALS['browser']->isBrowser('mozilla') && !$GLOBALS['browser']->usingSSLConnection()),
        'parselevel' => Horde_Text_Filter_Text2html::MICRO
    'tabs2spaces' => array(),

If the noprefetch option is set imp will add <meta http-equiv="x-dns-prefetch-control" value="off" />
to the page.
The problem with the above fix is that it is only triggered if the browser is mozilla and the
connection is not using SSL. I think this comes from a misunderstanding of the above
blog post which states "Using HTTPS rather than HTTP disables DNS prefetching."

From my understanding this fix is incomplete because other browsers (e.g. Chrome) do
DNS prefetching as well and the assumption that this is disabled using HTTPS is also
for mozilla only true in the default configuration.


P.S. Cced upstream

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.