SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Horde Groupware Vendors:  Horde Project
Horde Groupware Discloses Address Book Contacts to Remote Users
SecurityTracker Alert ID:  1019433
SecurityTracker URL:  http://securitytracker.com/id?1019433
CVE Reference:  CVE-2008-0807   (Links to External Site)
Updated:  Mar 14 2008
Original Entry Date:  Feb 19 2008
Impact:  Disclosure of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 1.0.4
Description:  A vulnerability was reported in Horde Groupware. A remote user can access address book contacts.

A remote user that can guess a target user's contact unique key can gain access to address book contacts in the same SQL table.
Impact:  A remote user can access address book contacts.
Solution:  The vendor has issued a fix (1.0.4).

The advisory is available at:

http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.17.2.1&r2=1.17.2.2&ty=h
Vendor URL:  www.horde.org/groupware/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Jan Schneider <jan@horde.org>
Message History:   None.

 Source Message Contents
Date:  2008-02-15 17:48:35
From:  Jan Schneider <jan@horde.org>
Subject:  [announce] Horde Groupware 1.0.4 (final)

 
The Horde Team is pleased to announce the final release of the Horde Groupware
version 1.0.4.
 
This is a security release that fixes unchecked access to address book
contacts in the same SQL table, if the unique key of another user's contact
can be guessed.  All users are encouraged to upgrade to this version.
 
Horde Groupware is a free, enterprise ready, browser based collaboration
suite. Users can manage and share calendars, contacts, tasks and notes with the
standards compliant components from the Horde Project.
 
Major changes compared to Horde Groupware 1.0.3 are:
    * Fixed unchecked access to contacts in the same address book SQL table.
 
The full list of changes (from version 1.0.3) can be viewed here:
 
http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.17.2.1&r2=1.17.2.2&ty=h
 
The Horde Groupware 1.0.4 distribution is available from the following locations:
 
    ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.0.4.tar.gz
    http://ftp.horde.org/pub/horde-groupware/horde-groupware-1.0.4.tar.gz
 
Patches against version 1.0.3 are available at:
 
    ftp://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.0.3-1.0.4.gz
    http://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.0.3-1.0.4.gz
 
Or, for quicker access, download from your nearest mirror:
 
    http://www.horde.org/mirrors.php
 
MD5 sums for the packages are as follows:
 
    7178e7dd5f24e9f6acca13c9a794d0db  horde-groupware-1.0.4.tar.gz
    d0cd5f8384082ce7a4b5dec928e1545a  patch-horde-groupware-1.0.3-1.0.4.gz
 
Have fun!
 
The Horde Team.
 
-- 
Horde announcements mailing list
You are subscribed to this list as: horde-announce@progressive-comp.com
To unsubscribe, mail: announce-unsubscribe@lists.horde.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC