Vulnerabilities > CVE-2006-1260 - Information Disclosure vulnerability in Horde Application Framework

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
horde
nessus
exploit available
NVD
Published: 2006-03-19
Updated: 2018-10-18

Summary

Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.

Vulnerable Configurations

Part Description Count
Application
Horde
33

Exploit-Db

descriptionHorde Web-Mail 3.x (go.php) Remote File Disclosure Vulnerability. CVE-2006-1260. Webapps exploit for php platform
idEDB-ID:4850
last seen2016-01-31
modified2008-01-06
published2008-01-06
reporterEugene Minaev
sourcehttps://www.exploit-db.com/download/4850/
titleHorde Web-Mail 3.x - go.php Remote File Disclosure Vulnerability

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1033.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-4190 Several Cross-Site-Scripting vulnerabilities have been discovered in the
    last seen2020-06-01
    modified2020-06-02
    plugin id22575
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22575
    titleDebian DSA-1033-1 : horde3 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1033. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(22575);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:32:19");

  script_cve_id("CVE-2005-4190", "CVE-2006-1260", "CVE-2006-1491");
  script_xref(name:"DSA", value:"1033");

  script_name(english:"Debian DSA-1033-1 : horde3 - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several remote vulnerabilities have been discovered in the Horde web
application framework, which may lead to the execution of arbitrary
web script code. The Common Vulnerabilities and Exposures project
identifies the following problems :

  - CVE-2005-4190
    Several Cross-Site-Scripting vulnerabilities have been
    discovered in the 'share edit window'.

  - CVE-2006-1260
    Null characters in the URL parameter bypass a sanity
    check, which allowed remote attackers to read arbitrary
    files, which allowed information disclosure.

  - CVE-2006-1491
    User input in the help viewer was passed unsanitised to
    the eval() function, which allowed injection of
    arbitrary web code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361967"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2005-4190"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-1260"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-1491"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2006/dsa-1033"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the horde3 package.

The old stable distribution (woody) doesn't contain horde3 packages.

For the stable distribution (sarge) these problems have been fixed in
version 3.0.4-4sarge3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200604-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200604-02 (Horde Application Framework: Remote code execution) Jan Schneider of the Horde team discovered a vulnerability in the help viewer of the Horde Application Framework that could allow remote code execution (CVE-2006-1491). Paul Craig reported that
    last seen2020-06-01
    modified2020-06-02
    plugin id21195
    published2006-04-08
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21195
    titleGLSA-200604-02 : Horde Application Framework: Remote code execution
  • NASL familyCGI abuses
    NASL idHORDE_URL_FILE_DISCLOSURE.NASL
    descriptionThe version of Horde installed on the remote host fails to validate input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id21081
    published2006-03-15
    reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21081
    titleHorde go.php url Parameter Arbitrary File Access
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1034.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-1260 Null characters in the URL parameter bypass a sanity check, which allowed remote attackers to read arbitrary files, which allowed information disclosure. - CVE-2006-1491 User input in the help viewer was passed unsanitised to the eval() function, which allowed injection of arbitrary web code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22576
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22576
    titleDebian DSA-1034-1 : horde2 - several vulnerabilities

References