Hyperdose Security Advisory

Name: Cross Site Scripting holes found in Horde 3.0
Systems Affected: Horde 3.0 installations
Severity: Moderate
Author: Robert Fly - robfly@hyperdose.com
Advisory URL: http://www.hyperdose.com/advisories/H2005-01.txt

--Horde Description--
The Horde Application Framework is a general-purpose web application
framework in PHP, providing classes for dealing with preferences,
compression, browser detection, connection tracking, MIME handling, and
more.

--Bug Details--
Horde contains two XSS attacks that can be exploited through GET requests.  
Once exploited, these requests could be used to execute any javascript
commands in the context of that user, potentially including but not limited
to reading and deleting email, and stealing auth tokens.  Here are two
example URLs with simple exploits.
 
*/prefs.php?group=columns"><script>alert(document.domain)</script>&app=turba
 
*/index.php?url=http%3A%2F%2Fserver.com%2Findex.php"%20onload="javascript:al
ert(document.domain)"&frameset=0

--Fix Information--
Horde.org has released a new install to fix these issues.  Per Horde team
these issues are fixed in version 3.0.1, although v3.0.2, which contains the
fixes has already been released.  Kudos to them as they fixed these
vulnerabilities within a few hours of our original email.  GZ below:

http://ftp.horde.org/pub/horde/horde-3.0.2.tar.gz

NOTE: Per Horde team, this vulnerability does not exist in v2.0


--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com