SecurityTracker.com Archives - Horde Application Framework Bug Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Horde Application Framework

Vendors: Horde Project

Horde Application Framework Bug Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1015841

SecurityTracker URL: http://securitytracker.com/id?1015841

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 29 2006

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 3.0 - 3.1

Description: A vulnerability was reported in the Horde Application Framework. A remote user can execute arbitrary code on the target system.

The help viewer contains an unspecified vulnerability. A remote user can cause arbitrary code to be executed.

Jan Schneider from the Horde team discovered this vulnerability.

Impact: A remote user can execute arbitrary code on the target system.

Solution: The vendor has issued a fixed version (3.1.1), available at:

ftp://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz
http://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz

Patches for version 3.1 are available at:

ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.1-3.1.1.gz
http://ftp.horde.org/pub/horde/patches/patch-hord e-3.1-3.1.1.gz

Vendor URL: www.horde.org/horde/ (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Jan Schneider <jan@horde.org>

Message History: None.

Source Message Contents

Date: Tue Mar 28 05:27:27 PST 2006
From: Jan Schneider <jan@horde.org>
Subject: [announce] Horde 3.1.1 (final)

 
The Horde Team is releasing a critical security fix for the Horde Application
Framework versions 3.0 and above. Version 2.x and earlier releases are not
affected.
 
The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.
 
Major changes compared to Horde 3.1 are:
    * Security Fixes
      - Fix for remote code execution vulnerability in the help viewer,
        discovered by Jan Schneider from the Horde team.
    * Small bugfixes and improvements
      - Fixed export and synchronization of events across daylight saving time
        changes.
      - Improved mysql session handler.
      - Improved support for Internet Explorer 7 and Opera Mini browsers.
      - Fixed quota support for some VFS drivers.
      - Fixed menu wrapping with Kolab and Purple theme.
 
The full list of changes (from version 3.1) can be viewed here:
 
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.222&r2=1.515.2.231&ty=h
 
The Horde 3.1.1 distribution is available from the following locations:
 
    ftp://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz
    http://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz
 
Patches against version 3.1 are available at:
 
    ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.1-3.1.1.gz
    http://ftp.horde.org/pub/horde/patches/patch-horde-3.1-3.1.1.gz
 
Or, for quicker access, download from your nearest mirror:
 
    http://www.horde.org/mirrors.php
 
MD5 sums for the packages are as follows:
 
    MD5 (horde-3.1.1.tar.gz) = ef5001144b80422b71454d285056e90a
    MD5 (patch-horde-3.1-3.1.1.gz) = 69d1e51cbe3fa919d102f9a1ba2ebc47
 
Have fun!
 
The Horde Team.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2006, SecurityGlobal.net LLC