SEC Consult Security Advisory < 20051211-0 >
==========================================================================
             title: < Several XSS issues in Horde Framework, Kronolith
                      Calendar, Mnemo Notes, Nag Tasks and Turba
                      Addressbook >
           program: < Horde Application Framework + Modules >
vulnerable version: < Horde: <= 3.0.7
                      Kronolith: <= 2.0.5
                      Mnemo: <= 2.0.2
                      Nag: <= 2.0.3
                      Turba: <= 2.0.4 >
          homepage: < http://www.horde.org >
             found: < 2005-12-02 >
                by: < Johannes Greil > / SEC Consult /
www.sec-consult.com
==========================================================================

-------------------
vendor description:
-------------------
The Horde Project is about creating high quality Open Source
applications, based on PHP and the Horde Framework.

The guiding principles of the Horde Project are to create solid
standards-based applications using intelligent object oriented design
that, wherever possible, are designed to run on a wide range of
platforms and backends. There is great emphasis on making Horde as
friendly to non-English speakers as possible. The Horde Framework
currently supports many localization features such as unicode and
right-to-left text and generous users have contributed many
translations for the framework and applications.


----------------------
vulnerabilty overview:
----------------------
Kronolith - Calendar Application
================================
view calendars:
---------------
1) An (authenticated) attacker can create a calendar (under "My
Calendars") with any Javascript code in the name field ("Calendar
Name") and change the permissions to make it public to all users of the
system.

If the victim (user of the system) clicks on the menu "My Calendars" to
only view his calendars, all the public calendars will also show up and
the script code of the attacker will be executed.


delete events:
--------------
2) The title field of a calendar event is not properly sanitized when
deleting an event. Kronolith asks for "Delete $title" and renders
$title without further validation on the confirmation page.

It poses a threat when using shared/public calendars, where users of
the system have read and especially delete access to other users'
calendar events.


search events:
--------------
3) The Basic and Advanced Search functionality render the category and
location field without sanitation. An attacker can make an event public
and insert common search words in the title or other fields in
combination with malicious code. A victim searching for a common word
will get the script code as a result, which is executed immediately.

The scripting code, which has been added as a new category, will also
be rendered in Horde Options under "Category and Labels", but
categories cannot be shared to other users.


edit attendees:
---------------
4) An attacker can add script code as an attendee email address in an
event. Viewing the event is enough to execute the code because the
email address isn't being filtered.


edit permissions:
-----------------
5) The popup window for editing the permissions of a (your own)
calendar doesn't filter the title of a calendar and views it
unfiltered. This cannot be remotely exploited.


The victim must be subscribed to the public calendar in bug 2), 3) and
4) to be affected, 1) does work in every case. An attacker can
implement "relogin trojan scripting code" to trick the users to enter
their login name + passwords and take over the accounts. This also
bypasses the session management features of the Horde Framework (stores
IP and browser string in sessions hence the cookie alone isn't that
helpful).


Horde Framework:
================
6) The Horde Framework itself also suffers from XSS flaws (e.g.
identity field, category/labels, mobile phone field, importing files)
where at least one them is exploitable which affects other modules such
as Turba Address Book.

E.g. when showing an Address Book entry, the "Mobile Phone" field is
not being sanitized and an attacker can create a malicious contact with
Javascript code in that field. There are different attack vectors, such
as importing a contact via CSV file or accessing some shared Address
Book with a malicious contact. Directly adding malicious code into the
Mobile Phone field doesn't work because of the input validation in
place.

importing CSV files:
--------------------
7) E.g. the Date and Time Fields are not properly sanitized on the
import pages in Kronolith, Mnemo and Nag (a Horde Template is
affected). A specially crafted CSV file can be used to execute
arbitrary code on a victim. It shall be noted that the victim has to
import this preparted file on his own so e.g. some social engineering
email is needed.


Mnemo Note Manager && Nag Task List Manager:
============================================
There are also some input validation flaws in Mnemo and Nag (and maybe
other modules as well).

Mnemo: When creating a new notepad, the notepad's name isn't being
filtered. Hence it is possible to insert any javascript code.

Furthermore one can insert Javascript code in a shared notepad's name
which can be remotely exploited (as always only when already
authenticated).

Nag: This module suffers from a similar problem as Mnemo, here the
"Task List's Name" and also the shared Tasklists are affected. Nag also
suffers from the "importing CSV file" issue mentioned above.

-----------------
proof of concept:
-----------------
Kronolith:
1) E.g. add "<script>alert("calname")</script>" as the "Calendar Name",
change permissions to public read access and login with another user.

Just click on "My Calendars" menu - the code will be executed
immediately in the "Select a calendar" section and in the "My Free/Busy
URL" field.


2) Create a new event in a public calendar and e.g. use
<script>alert("title")</script>" as the title. make this event readable
and deletable for other users. If the victim clicks on "Delete event"
the script code will be executed.


3) Create an event with "<script>alert("category")</script>" as a new
category name, or some code in the location field, and make it public.

If a user searches for the word "category", the event with the
malicious code will be found and the code executed.


4) Use "<script>alert("attendee")</script>" as an email address and add
the attendee to a public event. The code will be executed when viewing
the public event.


Horde:
6) E.g. add script code to the "Mobile Phone" field of a contact that
is shared to other people. You have to bypass Horde's input validation
for that field, e.g. by importing a preparated contact via CSV file.
After that the script code will be executed upon clicking on the
contact.

--------------------
vulnerable versions:
--------------------
'HORDE_VERSION', '3.0.7' and lower
'KRONOLITH_VERSION', 'H3 (2.0.5)' and lower
'MNEMO_VERSION', 'H3 (2.0.2)' and lower
'NAG_VERSION', 'H3 (2.0.3)' and lower
'TURBA_VERSION', 'H3 (2.0.4)' and lower


--------------
vendor status:
--------------
vendor notified: 2005-12-02
vendor response: 2005-12-02
first patches available in CVS: 2005-12-02
coordinated release date: 2005-12-11

The Horde developer team has been very responsive and working with them
was exemplary.

There were several other possible XSS problems in Horde's, Kronolith's
and other modules' source which have been addressed by the developers
after further digging through the code and fixing the reported problems,
CVS archive:
http://lists.horde.org/archives/cvs/Week-of-Mon-20051128/thread.html
http://lists.horde.org/archives/cvs/Week-of-Mon-20051205/thread.html

Greetings and special thanks to Chuck!


---------
solution:
---------
The versions of Horde, Kronolith, Mnemo, Nag and other modules have
been bumped, their new releases can be obtained from
http://www.horde.org

Users are strongly urged to upgrade to the latest release of Horde and
each application. The new Horde release fixes the cellphone field
vulnerability for Turba (and any other applications displaying forms
using Horde_Form_Type_cellphone); all of the other fixes are contained
in the application that they affect.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
< Johannes Greil > / www.sec-consult.com /
SGT ::: < tke, mei, bmu, dfa > :::