Horde NLS.php Language Selection Function XSS

2007-03-14T11:18:42
ID OSVDB:33084
Type osvdb
Reporter OSVDB
Modified 2007-03-14T11:18:42

Description

Vulnerability Description

The Horde Application Framework contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input passed to the 'language selection' function in script 'NLS.php'. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 3.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

The Horde Application Framework contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input passed to the 'language selection' function in script 'NLS.php'. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/[horde_path]/login.php?new_lang="><body onload="alert('XSS');

References:

Vendor URL: http://www.horde.org Vendor Specific News/Changelog Entry: http://cvs.horde.org/diff.php?r1=1.109&r2=1.110&f=framework%2FNLS%2FNLS.php Vendor Specific Advisory URL Security Tracker: 1017775 Secunia Advisory ID:24995 Secunia Advisory ID:24528 Secunia Advisory ID:27565 Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1406 Other Advisory URL: http://www.novell.com/linux/security/advisories/2007_007_suse.html Mail List Post: http://lists.horde.org/archives/announce/2007/000315.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0181.html ISS X-Force ID: 33013 FrSIRT Advisory: ADV-2007-0965 CVE-2007-1473 Bugtraq ID: 22984