H2005-01.txt

`Hyperdose Security Advisory  
  
Name: Cross Site Scripting holes found in Horde 3.0  
Systems Affected: Horde 3.0 installations  
Severity: Moderate  
Author: Robert Fly - [email protected]  
Advisory URL: http://www.hyperdose.com/advisories/H2005-01.txt  
  
--Horde Description--  
The Horde Application Framework is a general-purpose web application  
framework in PHP, providing classes for dealing with preferences,  
compression, browser detection, connection tracking, MIME handling, and  
more.  
  
--Bug Details--  
Horde contains two XSS attacks that can be exploited through GET requests.   
Once exploited, these requests could be used to execute any javascript  
commands in the context of that user, potentially including but not limited  
to reading and deleting email, and stealing auth tokens. Here are two  
example URLs with simple exploits.  
  
*/prefs.php?group=columns"><script>alert(document.domain)</script>&app=turba  
  
*/index.php?url=http%3A%2F%2Fserver.com%2Findex.php"%20onload="javascript:al  
ert(document.domain)"&frameset=0  
  
--Fix Information--  
Horde.org has released a new install to fix these issues. Per Horde team  
these issues are fixed in version 3.0.1, although v3.0.2, which contains the  
fixes has already been released. Kudos to them as they fixed these  
vulnerabilities within a few hours of our original email. GZ below:  
  
http://ftp.horde.org/pub/horde/horde-3.0.2.tar.gz  
  
NOTE: Per Horde team, this vulnerability does not exist in v2.0  
  
  
--About Hyperdose--  
Hyperdose Security was founded to provide companies with application  
security knowledge through all parts of an application's security  
development lifecycle. We specialize in all phases of software development  
ranging from security design and architectural reviews, security code  
reviews and penetration testing.  
  
web www.hyperdose.com   
email [email protected]  
  
  
  
`