SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Horde Application Framework Vendors:  Horde Project
Horde Application Framework Input Validation Flaw in 'NLS.php' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1017775
SecurityTracker URL:  http://securitytracker.com/id?1017775
CVE Reference:  CVE-2007-1473   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Mar 15 2007
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 3.1.4
Description:  A vulnerability was reported in Horde Application Framework. A remote user can conduct cross-site scripting attacks.

The 'framework/NLS/NLS.php' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Horde Application Framework software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

[Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=%22a lert%28'XSS'%29%3B
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Horde Application Framework software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has issued a fixed version (3.1.4).

The Horde advisory is available at:

http://lists.horde.org/archives/announce/2007/000315.html
Vendor URL:  www.horde.org/horde/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Moritz Naumann <security@moritz-naumann.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 15 Mar 2007 02:50:50 +0100
From:  Moritz Naumann <security@moritz-naumann.com>
Subject:  [Full-disclosure] Horde 3.1.4 (RC1) fixes XSS issue

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

a few hours ago, Horde Framework 3.1.4 was released. This stable release
as well as a previous development release titled 3.1.4 RC1 fix a
script/HTML injection issue which does not require pevious
authentication by the victim.

By redirecting the victims' web browser to a specially crafted URL
containing the payload this issue can be exploited. As the users'
session cookie is already set by the time the injection takes place this
issue makes the user prone to XSS attacks.

The vulnerable file is framework/NLS/NLS.php.

Example:
[Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=%22alert%28'XSS'%29%3B

[Horde_App] should be replaced by the name of an installed Horde
application, such as 'imp'.

This can only be exploited on installations which are configured to
display a language selection box on the login pages.

This issue was /not/ initially discovered by me. I document it here as
I happened to come across this while discovering XSS issues in Horde IMP
and to simplify fixing vulnerable versions of repackaged distributions
of this software.

The developers' release announcement can be found at:
  http://lists.horde.org/archives/announce/2007/000315.html

General information on this application is available at
  http://www.horde.org/

Moritz Naumann
http://moritz-naumann.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+KZ5n6GkvSd/BgwRAvSwAJ9fUFLMnQEYbT3ZftmoCBTTxYhmfACeOrQd
n4JZtVHG3wRI8CpwRbGQjaI=
=VGUL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC