Horde 3.1.4 (RC1) fixes XSS issue

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

a few hours ago, Horde Framework 3.1.4 was released. This stable release
as well as a previous development release titled 3.1.4 RC1 fix a
script/HTML injection issue which does not require pevious
authentication by the victim.

By redirecting the victims' web browser to a specially crafted URL
containing the payload this issue can be exploited. As the users'
session cookie is already set by the time the injection takes place this
issue makes the user prone to XSS attacks.

The vulnerable file is framework/NLS/NLS.php.

Example:
[Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=
%22alert%28'XSS'%29%3B

[Horde_App] should be replaced by the name of an installed Horde
application, such as 'imp'.

This can only be exploited on installations which are configured to
display a language selection box on the login pages.

This issue was /not/ initially discovered by me. I document it here as
I happened to come across this while discovering XSS issues in Horde IMP
and to simplify fixing vulnerable versions of repackaged distributions
of this software.

The developers' release announcement can be found at:
http://lists.horde.org/archives/announce/2007/000315.html

General information on this application is available at
http://www.horde.org/

Moritz Naumann
http://moritz-naumann.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+KZ5n6GkvSd/BgwRAvSwAJ9fUFLMnQEYbT3ZftmoCBTTxYhmfACeOrQd
n4JZtVHG3wRI8CpwRbGQjaI=
=VGUL
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Horde 3.1.4 (RC1) fixes XSS issue