ID CVE-2006-3549
Summary services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.
References
Vulnerable Configurations
  • cpe:2.3:a:horde:horde_application_framework:3.0.0
    cpe:2.3:a:horde:horde_application_framework:3.0.0
  • Horde Application Framework 3.0.1
    cpe:2.3:a:horde:horde_application_framework:3.0.1
  • Horde Application Framework 3.0.2
    cpe:2.3:a:horde:horde_application_framework:3.0.2
  • Horde Application Framework 3.0.3
    cpe:2.3:a:horde:horde_application_framework:3.0.3
  • Horde Application Framework 3.0.4
    cpe:2.3:a:horde:horde_application_framework:3.0.4
  • Horde Application Framework 3.0.5
    cpe:2.3:a:horde:horde_application_framework:3.0.5
  • Horde Application Framework 3.0.6
    cpe:2.3:a:horde:horde_application_framework:3.0.6
  • Horde Application Framework 3.0.7
    cpe:2.3:a:horde:horde_application_framework:3.0.7
  • Horde Application Framework 3.0.8
    cpe:2.3:a:horde:horde_application_framework:3.0.8
  • Horde Application Framework 3.0.9
    cpe:2.3:a:horde:horde_application_framework:3.0.9
  • Horde Application Framework 3.0.10
    cpe:2.3:a:horde:horde_application_framework:3.0.10
  • cpe:2.3:a:horde:horde_application_framework:3.1.0
    cpe:2.3:a:horde:horde_application_framework:3.1.0
  • Horde Application Framework 3.1.1
    cpe:2.3:a:horde:horde_application_framework:3.1.1
CVSS
Base: 5.0 (as of 13-07-2006 - 13:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family CGI abuses : XSS
    NASL id HORDE_URL_XSS.NASL
    description The version of Horde installed on the remote host fails to validate input to the 'url' parameter of the 'services/go.php' script before using it in dynamically-generated content. An unauthenticated attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser. In addition, similar cross-site scripting issues reportedly exist with the 'module' parameter of the 'services/help/index.php' script and the 'name' parameter of the 'services/problem.php' script.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 22004
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22004
    title Horde < 3.0.11 / 3.1.2 Multiple Script XSS
  • NASL family SuSE Local Security Checks
    NASL id SUSE_HORDE-1868.NASL
    description This update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform 'Web tunneling' attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27265
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27265
    title openSUSE 10 Security Update : horde (horde-1868)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1406.NASL
    description Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 28151
    published 2007-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28151
    title Debian DSA-1406-1 : horde3 - several vulnerabilities
refmap via4
bid 18845
bugtraq 20060705 Public Advisory: Horde 3.1.1, 3.0.10 Multiple Security Issues
confirm
debian DSA-1406
misc http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
sectrack 1016442
secunia
  • 20954
  • 21459
  • 27565
sreason 1229
suse SUSE-SR:2006:019
vupen ADV-2006-2694
Last major update 07-03-2011 - 21:38
Published 12-07-2006 - 20:05
Last modified 18-10-2018 - 12:47
Back to Top