Horde 3.1.4 (RC1) fixes XSS issue

2007.03.20
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, a few hours ago, Horde Framework 3.1.4 was released. This stable release as well as a previous development release titled 3.1.4 RC1 fix a script/HTML injection issue which does not require pevious authentication by the victim. By redirecting the victims' web browser to a specially crafted URL containing the payload this issue can be exploited. As the users' session cookie is already set by the time the injection takes place this issue makes the user prone to XSS attacks. The vulnerable file is framework/NLS/NLS.php. Example: [Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload= %22alert%28'XSS'%29%3B [Horde_App] should be replaced by the name of an installed Horde application, such as 'imp'. This can only be exploited on installations which are configured to display a language selection box on the login pages. This issue was /not/ initially discovered by me. I document it here as I happened to come across this while discovering XSS issues in Horde IMP and to simplify fixing vulnerable versions of repackaged distributions of this software. The developers' release announcement can be found at: http://lists.horde.org/archives/announce/2007/000315.html General information on this application is available at http://www.horde.org/ Moritz Naumann http://moritz-naumann.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF+KZ5n6GkvSd/BgwRAvSwAJ9fUFLMnQEYbT3ZftmoCBTTxYhmfACeOrQd n4JZtVHG3wRI8CpwRbGQjaI= =VGUL -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top