Re: Web Application Security Survey

[Anil Madhavapeddy <anil () RECOIL ORG>]

Quoting D-Krypt <dkrypt () YAHOO COM>:

> -Web Application Security Survey-
> Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos
> Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all
> currently vulnerable to web based attack.

We've had some queries to the Horde/IMP (a popular GPL'ed webmail
client) list about its security following advisories like the
above.

Just to confirm that IMP-2.2.0 is shipped secure by default, with
inline-HTML viewing capability disabled.

Users are warned clearly in the configuration file about the
dangers of inline viewing, and we make a pretty good effort to
strip out all javascript code from the message before displaying it.
However, this is not to be relied on, so enable the inlining
at your own risk!

Feel free to inspect the code (in horde/imp/lib/mimetypes.lib)
and point out any problems or holes in it, so we can continue to
improve security in our ongoing development branches.

IMP's homepage is http://horde.org/imp/ , and the mailing lists
are at http://horde.org/mail/

Regards,

--
Anil Madhavapeddy, <anil () recoil org>