Vulnerabilities > CVE-2006-3548 - Unspecified vulnerability in Horde

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
horde
nessus
NVD
Published: 2006-07-13
Updated: 2024-11-21

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a javascript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen).

Vulnerable Configurations

Part Description Count
Application
Horde
13

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_HORDE-1868.NASL
    descriptionThis update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform
    last seen2020-06-01
    modified2020-06-02
    plugin id27265
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27265
    titleopenSUSE 10 Security Update : horde (horde-1868)
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update horde-1868.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(27265);
  script_version ("1.12");
  script_cvs_date("Date: 2019/10/25 13:36:28");

  script_cve_id("CVE-2006-3548", "CVE-2006-3549");

  script_name(english:"openSUSE 10 Security Update : horde (horde-1868)");
  script_summary(english:"Check for the horde-1868 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes the following two security issues in the Horde
Application Framework :

  - CVE-2006-3548: Multiple cross-site scripting (XSS)
    vulnerabilities allow remote attackers to inject
    arbitrary web script or HTML via a (1) JavaScript URI or
    an external (2) http, (3) https, or (4) ftp URI in the
    url parameter in services/go.php (aka the dereferrer),
    (5) a JavaScript URI in the module parameter in
    services/help (aka the help viewer), and (6) the name
    parameter in services/problem.php (aka the problem
    reporting screen).

  - CVE-2006-3549: services/go.php does not properly
    restrict its image proxy capability, which allows remote
    attackers to perform 'Web tunneling' attacks and use the
    server as a proxy via (1) http, (2) https, and (3) ftp
    URL in the url parameter, which is requested from the
    server."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected horde package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:horde");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/07/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE10.1", reference:"horde-3.0.9-19.4") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "horde");
}
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E94CB43D0C4A11DB90160050BF27BA24.NASL
    descriptionHorde 3.1.2 release announcement : Security Fixes : - Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen. - Removed unused image proxy code from dereferrer.
    last seen2020-06-01
    modified2020-06-02
    plugin id22006
    published2006-07-06
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22006
    titleFreeBSD : horde -- various problems in dereferrer (e94cb43d-0c4a-11db-9016-0050bf27ba24)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(22006);
  script_version("1.13");
  script_cvs_date("Date: 2019/08/02 13:32:38");

  script_cve_id("CVE-2006-3548");

  script_name(english:"FreeBSD : horde -- various problems in dereferrer (e94cb43d-0c4a-11db-9016-0050bf27ba24)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Horde 3.1.2 release announcement :

Security Fixes :

- Closed XSS problems in dereferrer (IE only), help viewer and problem
reporting screen.

- Removed unused image proxy code from dereferrer."
  );
  # http://lists.horde.org/archives/announce/2006/000288.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.horde.org/archives/announce/2006/000288.html"
  );
  # https://vuxml.freebsd.org/freebsd/e94cb43d-0c4a-11db-9016-0050bf27ba24.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?c525971c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:horde");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:horde-php5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/07/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"horde<3.1.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"horde-php5<3.1.2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyCGI abuses : XSS
    NASL idHORDE_URL_XSS.NASL
    descriptionThe version of Horde installed on the remote host fails to validate input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id22004
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22004
    titleHorde < 3.0.11 / 3.1.2 Multiple Script XSS
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(22004);
  script_version("1.24");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id("CVE-2006-3548", "CVE-2006-3549");
  script_bugtraq_id(18845);

  script_name(english:"Horde < 3.0.11 / 3.1.2 Multiple Script XSS");
  script_summary(english:"Tries to exploit an XSS flaw in Horde's services/go.php");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by
multiple cross-site scripting vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Horde installed on the remote host fails to validate
input to the 'url' parameter of the 'services/go.php' script before
using it in dynamically-generated content.  An unauthenticated
attacker may be able to leverage this issue to inject arbitrary HTML
and script code into a user's browser. 

In addition, similar cross-site scripting issues reportedly exist with
the 'module' parameter of the 'services/help/index.php' script and the
'name' parameter of the 'services/problem.php' script.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jul/91");
  script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000287.html");
  script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000288.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Horde 3.0.11 / 3.1.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2006/07/05");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework");
  script_end_attributes();
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");
 
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("horde_detect.nasl", "cross_site_scripting.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/horde");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
if (get_kb_item("www/"+port+"/generic_xss")) exit(0, "The web server on port "+port+" is prone to XSS.");


# A simple (and invalid) alert.
xss = string("javascript:alert(", SCRIPT_NAME, ")");


# Test an install.
install = get_kb_item(string("www/", port, "/horde"));
if (isnull(install)) exit(0, "Horde was not detected on port "+port);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  dir = matches[2];

  # Try to exploit the issue to read a file.
  #
  # nb: Horde 3.x uses "/services"; Horde 2.x, "/util".
  foreach subdir (make_list("/services", "/util"))
  {
    r = http_send_recv3(method:"GET", 
      item:string(
        dir, subdir, "/go.php?",
        "url=", urlencode(str:string("http://www.example.com/;url=", xss))
      ), 
      port:port
    );
    if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond");
    res = strcat(r[0], r[1], '\r\n', r[2]);

    # There's a problem if our XSS appears in the redirect.
    if (string("Refresh: 0; URL=http://www.example.com/;url=", xss) >< res)
    {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      exit(0);
    }
  }
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1406.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only.
    last seen2020-06-01
    modified2020-06-02
    plugin id28151
    published2007-11-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28151
    titleDebian DSA-1406-1 : horde3 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1406. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(28151);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:32:20");

  script_cve_id("CVE-2006-3548", "CVE-2006-3549", "CVE-2006-4256", "CVE-2007-1473", "CVE-2007-1474");
  script_xref(name:"DSA", value:"1406");

  script_name(english:"Debian DSA-1406-1 : horde3 - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several remote vulnerabilities have been discovered in the Horde web
application framework. The Common Vulnerabilities and Exposures
project identifies the following problems :

  - CVE-2006-3548
    Moritz Naumann discovered that Horde allows remote
    attackers to inject arbitrary web script or HTML in the
    context of a logged in user (cross site scripting).

      This vulnerability applies to oldstable (sarge) only.

  - CVE-2006-3549
    Moritz Naumann discovered that Horde does not properly
    restrict its image proxy, allowing remote attackers to
    use the server as a proxy.

      This vulnerability applies to oldstable (sarge) only.

  - CVE-2006-4256
    Marc Ruef discovered that Horde allows remote attackers
    to include web pages from other sites, which could be
    useful for phishing attacks.

      This vulnerability applies to oldstable (sarge) only.

  - CVE-2007-1473
    Moritz Naumann discovered that Horde allows remote
    attackers to inject arbitrary web script or HTML in the
    context of a logged in user (cross site scripting).

      This vulnerability applies to both stable (etch) and oldstable
      (sarge).

  - CVE-2007-1474
    iDefense discovered that the cleanup cron script in
    Horde allows local users to delete arbitrary files.

      This vulnerability applies to oldstable (sarge) only."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378281"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383416"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-3548"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-3549"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-4256"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2007-1473"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2007-1474"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2007/dsa-1406"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the horde3 package.

For the old stable distribution (sarge) these problems have been fixed
in version 3.0.4-4sarge6.

For the stable distribution (etch) these problems have been fixed in
version 3.1.3-4etch1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge6")) flag++;
if (deb_check(release:"4.0", prefix:"horde3", reference:"3.1.3-4etch1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References