Download Horde Groupware Webmail 1.2.4

Horde Groupware Webmail is, as the name suggests, a package with which groupware and webmail can be offered. The package is written in php and uses the Horde framework. For more information, we refer you to this one and this one pages. The developers have released version 1.2.4 of Horde Groupware Webmail with the following announcement on the mailing list:

Horde Groupware Webmail Edition 1.2.4 (final)

The Horde Team is pleased to announce the final release of the Horde Groupware Webmail Edition version 1.2.4.

This is a major security release that fixes a vulnerability in the form library that allows overwriting of arbitrary local files with the permissions of the web server user. It also fixes two XSS vulnerabilities in the preference system and the MIME viewer library. The local file vulnerability can only be exploited by users who have write permissions to the address book. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a code audit, and Martin Geisler and David Wharton for finding the XSS issues.

The major changes compared to the Horde Groupware Webmail Edition version 1.2.3 are:

• Fixed vulnerability in image form fields that allows overwriting of arbitrary local files.
• Fixed validation of “number” type preferences.
• Fixed displaying unknown text MIME parts inline.
• Many synchronization improvements.
• Bundled a complete, working PEAR installation.
• Improved signup support.
• Releasing memcache lock no longer takes 1 second.
• Fixes when resetting passwords.
• Export current locale to the environment.
• Highlight signed messages depending on the signature verification.
• Automatically set address book preferences.
• Fixed some javascript if using IE 8.
• Use correct charset when rendering inline PGP data.
• Fixed renaming shared folders contained in empty namespaces.
• Fixed spell check in text-mode for certain words in non-English locales.
• Fix deleting messages after undeleting in dynamic view.
• Fix renaming folders with non-7bit characters in dynamic view.
• Ignore ‘compose_html’ preference in IMP in mobile view.
• Fix showing Cc and Bcc fields in mobile view.
• Various fixes to the maildrop and procmail drivers.
• Better default settings for forwards, vacation and spam rules.
• Several VFS fixes in filters.
• Fixed determination of the spam folder in filters.
• Allow to add address lists as event attendees through the address book popup.
• Fixed several issues with all-day events.
• Display application name as task list name when listing external tasks.
• Added passphrase confirmation field for encrypted notes.
• Many further bug fixes and feature enhancements.

The full list of changes (from version 1.2.3) can be viewed here.

Have fun!
The Horde Team.