Horde 3.1.4 (RC1) fixes XSS issue

2007.03.20
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, a few hours ago, Horde Framework 3.1.4 was released. This stable release as well as a previous development release titled 3.1.4 RC1 fix a script/HTML injection issue which does not require pevious authentication by the victim. By redirecting the victims' web browser to a specially crafted URL containing the payload this issue can be exploited. As the users' session cookie is already set by the time the injection takes place this issue makes the user prone to XSS attacks. The vulnerable file is framework/NLS/NLS.php. Example: [Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload= %22alert%28'XSS'%29%3B [Horde_App] should be replaced by the name of an installed Horde application, such as 'imp'. This can only be exploited on installations which are configured to display a language selection box on the login pages. This issue was /not/ initially discovered by me. I document it here as I happened to come across this while discovering XSS issues in Horde IMP and to simplify fixing vulnerable versions of repackaged distributions of this software. The developers' release announcement can be found at: http://lists.horde.org/archives/announce/2007/000315.html General information on this application is available at http://www.horde.org/ Moritz Naumann http://moritz-naumann.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF+KZ5n6GkvSd/BgwRAvSwAJ9fUFLMnQEYbT3ZftmoCBTTxYhmfACeOrQd n4JZtVHG3wRI8CpwRbGQjaI= =VGUL -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top