-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0011 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Horde 3.1.1, 3.0.10 Multiple Security Issues +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON July 05, 2006 PUBLISHED AT http://moritz-naumann.com/adv/0011/hordemulti/0011.txt http://moritz-naumann.com/adv/0011/hordemulti/0011.txt.gpg PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ SECURITY at MORITZ hyphon NAUMANN d0t COM GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE Horde Application Framework http://www.horde.org The Horde Framework is a common code-base used by Horde applications, including libraries and a common user interface. The best known Horde application to date is probably IMP, a webbased IMAP/SMTP client. AFFECTED VERSIONS Version 3.0.0 up to and including 3.0.10 Version 3.1.0 up to and including 3.1.1 Versions below 3.0.0 have not been examined. ISSUES Horde is subject to multiple security vulnerabilities, ranging from information disclosure to client side script injection (cross site scripting) issues. +++++ 1. Cross Site Scripting #1 Horde is subject to a client side script injection vulnerability in the URL redirection (dereferrer) function. By accessing the following (partial) URI on a web site running an affected version with a web browser which is prone to this issue, client side script code will be injected into the output generated by the application: [Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0); This problem is caused by insufficient validation of user supplied input. It is only known to be exploitable on Internet Explorer 6 (tested on v6.2900.2180 including all patches on Windows XP SP2). Internet Explorer 7 beta 3 is not affected. +++++ 2. Cross Site Scripting #2 Horde is subject to a client side script injection vulnerability in the help function. By accessing the following (partial) URI on a web site running a vulnerable version with a web browser which is prone to this issue, client side script code will be injected into the output generated by the application: [Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E This problem is caused by insufficient validation of user supplied input. All common modern browsers providing Javascript support are assumed to be prone to this issue. +++++ 3. Cross Site Scripting #3 Horde is subject to a client side script injection vulnerability in the problem reporting function. By accessing the following (partial) URI on a web site running a vulnerable version with a web browser which is prone to this issue, client side script code will be injected into the output generated by the application: [Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22 This problem is caused by insufficient validation of user supplied input. All common modern browsers providing Javascript support are assumed to be prone to this issue. +++++ 4. Cross Site Scripting #4, Web tunneling behaviour Horde is subject to a server side issue which allows to tunnel HTTP GET requests through the application and to inject remotely hosted web script into the output generated by the application. This behaviour allows for accessing arbitrary locations which are addressable using URIs starting with 'http://','https://' or 'ftp://' protocol handlers. These locations will be accessible from within the security context of the web server running an affected version of the application. As a result, an attacker may be able to access remote locations s/he would not have otherwise access to, without disclosing the real source of the request [1]. Additionally, insufficiently access restricted local (server-side) or remote (3rd party) locations may become available [2]. By tricking a victim into starting a tunnelling call to a previously prepared malicious HTML file, stored in a remote location, which contains web script which may be executed on the client side, it is possible to extend this into a script injection issue. The injected script would be executed by the client within the context of the domain the vulnerable web application is hosted in. [3] All common modern browsers providing Javascript support are assumed to be prone to this issue. By accessing the following (partial) URIs on a web site running a vulnerable version with a web browser, the behaviours described above may be triggered: [1] [Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/ [2] [Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status [3] [Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html BACKGROUND Cross Site Scripting (XSS): Cross Site Scripting, also known as XSS or CSS, describes the injection of malicious content into output produced by a web application. A common attack vector is the inclusion of arbitrary client side script code into the applications' output. Failure to completely sanitize user input from malicious content can cause a web application to be vulnerable to Cross Site Scripting. http://www.owasp.org/index.php/Cross_Site_Scripting http://en.wikipedia.org/wiki/XSS http://www.cgisecurity.net/articles/xss-faq.shtml WORKAROUNDS Issues 1-3: Client: Disable Javascript. Server: Prevent access to vulnerable file(s). Issues 1-3: Client: Use application as intended only. Server: Prevent access to vulnerable file(s). SOLUTIONS The Horde project has released versions 3.1.2 and 3.1.11 today. These are supposed to fix all of the above issues. The updated packages are available at http://horde.org/ TIMELINE Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly Jul 05, 2005 Issues 1-4: Public advisory NOTES This is not related to CVE-2006-2195. REFERENCES Developers' release announcements v3.1.2: http://lists.horde.org/archives/announce/2006/000288.html v3.0.11: http://lists.horde.org/archives/announce/2006/000287.html ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFErDF5n6GkvSd/BgwRAlIlAJ9xrsIW0RfsRyGD0POmQuiamKE0QwCeNHbU VYOhRZ7bDiPo6TZfHYl93mE= =Avtu -----END PGP SIGNATURE-----