Vulnerabilities > CVE-2002-0181 - Cross-Site Scripting vulnerability in Horde IMP Status.PHP3
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web script and steal cookies of other IMP/HORDE users via the script parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-126.NASL description A cross-site scripting (CSS) problem was discovered in Horde and IMP (a web-based IMAP mail package). This was fixed upstream in Horde version 1.2.8 and IMP version 2.2.8. The relevant patches have been back-ported to version 1.2.6-0.potato.5 of the horde package and version 2.2.6-0.potato.5 of the imp package. This release also fixes a bug introduced by the PHP security fix from DSA-115-1: Postgres support for PHP was changed in a subtle way which broke the Postgres support from IMP. last seen 2020-06-01 modified 2020-06-02 plugin id 14963 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14963 title Debian DSA-126-1 : imp - XSS code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-126. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14963); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2002-0181"); script_bugtraq_id(4444); script_xref(name:"DSA", value:"126"); script_name(english:"Debian DSA-126-1 : imp - XSS"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A cross-site scripting (CSS) problem was discovered in Horde and IMP (a web-based IMAP mail package). This was fixed upstream in Horde version 1.2.8 and IMP version 2.2.8. The relevant patches have been back-ported to version 1.2.6-0.potato.5 of the horde package and version 2.2.6-0.potato.5 of the imp package. This release also fixes a bug introduced by the PHP security fix from DSA-115-1: Postgres support for PHP was changed in a subtle way which broke the Postgres support from IMP." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-126" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected imp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2002/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"horde", reference:"1.2.6-0.potato.5")) flag++; if (deb_check(release:"2.2", prefix:"imp", reference:"2.2.6-0.potato.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses : XSS NASL id IMP_STATUS_XSS.NASL description The remote host is running at least one instance of Horde IMP in which the last seen 2020-06-01 modified 2020-06-02 plugin id 15616 published 2004-11-03 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15616 title Horde IMP status.php3 script Parameter XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15616); script_version("1.20"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-0181"); script_bugtraq_id(4444); script_name(english:"Horde IMP status.php3 script Parameter XSS"); script_summary(english:"Checks for status.php3 XSS flaw in Horde IMP"); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by a cross-site scripting vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running at least one instance of Horde IMP in which the 'status.php3' script is vulnerable to a cross-site scripting attack since information passed to it is not properly sanitized."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Apr/98"); script_set_attribute(attribute:"solution", value: "Upgrade to IMP version 2.2.8 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/03"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:imp"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc."); script_family(english:"CGI abuses : XSS"); script_dependencie("global_settings.nasl", "imp_detect.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); host = get_host_name(); port = get_http_port(default:80, embedded:TRUE); if (!get_port_state(port)) exit(0); # Check each installed instance, stopping if we find a vulnerability. installs = get_kb_list(string("www/", port, "/imp")); if (isnull(installs)) exit(0); foreach install (installs) { matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { ver = matches[1]; dir = matches[2]; if (debug_level) display("debug: checking version ", ver, " under ", dir, ".\n"); url = string( dir, # nb: if you change the URL, you probably need to change the # pattern in the egrep() below. "/status.php3?script=<script>foo</script>" ); req = http_get(item:url, port:port); res = http_keepalive_send_recv(port:port, data:req); if (isnull(res)) exit(0); if (egrep(string:res, pattern:'<script>foo</script>')) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } }
References
- http://bugs.horde.org/show_bug.cgi?id=916
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000473
- http://marc.info/?l=bugtraq&m=101828033830744&w=2
- http://www.calderasystems.com/support/security/advisories/CSSA-2002-016.1.txt
- http://www.debian.org/security/2002/dsa-126
- http://www.iss.net/security_center/static/8769.php
- http://www.osvdb.org/5345
- http://www.securityfocus.com/bid/4444