-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, a few hours ago, Horde Framework 3.1.4 was released. This stable release as well as a previous development release titled 3.1.4 RC1 fix a script/HTML injection issue which does not require pevious authentication by the victim. By redirecting the victims' web browser to a specially crafted URL containing the payload this issue can be exploited. As the users' session cookie is already set by the time the injection takes place this issue makes the user prone to XSS attacks. The vulnerable file is framework/NLS/NLS.php. Example: [Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload= %22alert%28'XSS'%29%3B [Horde_App] should be replaced by the name of an installed Horde application, such as 'imp'. This can only be exploited on installations which are configured to display a language selection box on the login pages. This issue was /not/ initially discovered by me. I document it here as I happened to come across this while discovering XSS issues in Horde IMP and to simplify fixing vulnerable versions of repackaged distributions of this software. The developers' release announcement can be found at: http://lists.horde.org/archives/announce/2007/000315.html General information on this application is available at http://www.horde.org/ Moritz Naumann http://moritz-naumann.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF+KZ5n6GkvSd/BgwRAvSwAJ9fUFLMnQEYbT3ZftmoCBTTxYhmfACeOrQd n4JZtVHG3wRI8CpwRbGQjaI= =VGUL -----END PGP SIGNATURE-----