Vulnerabilities > CVE-2006-3548 - Cross-Site Scripting vulnerability in Horde Application Framework Services

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
horde
nessus

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a javascript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen).

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_HORDE-1868.NASL
    descriptionThis update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform
    last seen2020-06-01
    modified2020-06-02
    plugin id27265
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27265
    titleopenSUSE 10 Security Update : horde (horde-1868)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update horde-1868.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27265);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549");
    
      script_name(english:"openSUSE 10 Security Update : horde (horde-1868)");
      script_summary(english:"Check for the horde-1868 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following two security issues in the Horde
    Application Framework :
    
      - CVE-2006-3548: Multiple cross-site scripting (XSS)
        vulnerabilities allow remote attackers to inject
        arbitrary web script or HTML via a (1) JavaScript URI or
        an external (2) http, (3) https, or (4) ftp URI in the
        url parameter in services/go.php (aka the dereferrer),
        (5) a JavaScript URI in the module parameter in
        services/help (aka the help viewer), and (6) the name
        parameter in services/problem.php (aka the problem
        reporting screen).
    
      - CVE-2006-3549: services/go.php does not properly
        restrict its image proxy capability, which allows remote
        attackers to perform 'Web tunneling' attacks and use the
        server as a proxy via (1) http, (2) https, and (3) ftp
        URL in the url parameter, which is requested from the
        server."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected horde package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:horde");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"horde-3.0.9-19.4") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "horde");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E94CB43D0C4A11DB90160050BF27BA24.NASL
    descriptionHorde 3.1.2 release announcement : Security Fixes : - Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen. - Removed unused image proxy code from dereferrer.
    last seen2020-06-01
    modified2020-06-02
    plugin id22006
    published2006-07-06
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22006
    titleFreeBSD : horde -- various problems in dereferrer (e94cb43d-0c4a-11db-9016-0050bf27ba24)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22006);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:38");
    
      script_cve_id("CVE-2006-3548");
    
      script_name(english:"FreeBSD : horde -- various problems in dereferrer (e94cb43d-0c4a-11db-9016-0050bf27ba24)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Horde 3.1.2 release announcement :
    
    Security Fixes :
    
    - Closed XSS problems in dereferrer (IE only), help viewer and problem
    reporting screen.
    
    - Removed unused image proxy code from dereferrer."
      );
      # http://lists.horde.org/archives/announce/2006/000288.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.horde.org/archives/announce/2006/000288.html"
      );
      # https://vuxml.freebsd.org/freebsd/e94cb43d-0c4a-11db-9016-0050bf27ba24.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c525971c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:horde");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:horde-php5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"horde<3.1.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"horde-php5<3.1.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses : XSS
    NASL idHORDE_URL_XSS.NASL
    descriptionThe version of Horde installed on the remote host fails to validate input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id22004
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22004
    titleHorde < 3.0.11 / 3.1.2 Multiple Script XSS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22004);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/15 20:50:19");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549");
      script_bugtraq_id(18845);
    
      script_name(english:"Horde < 3.0.11 / 3.1.2 Multiple Script XSS");
      script_summary(english:"Tries to exploit an XSS flaw in Horde's services/go.php");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP script that is affected by
    multiple cross-site scripting vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Horde installed on the remote host fails to validate
    input to the 'url' parameter of the 'services/go.php' script before
    using it in dynamically-generated content.  An unauthenticated
    attacker may be able to leverage this issue to inject arbitrary HTML
    and script code into a user's browser. 
    
    In addition, similar cross-site scripting issues reportedly exist with
    the 'module' parameter of the 'services/help/index.php' script and the
    'name' parameter of the 'services/problem.php' script.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jul/91");
      script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000287.html");
      script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000288.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Horde 3.0.11 / 3.1.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"plugin_publication_date", value: "2006/07/05");
      script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/05");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework");
      script_end_attributes();
     
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses : XSS");
     
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
    
      script_dependencies("horde_detect.nasl", "cross_site_scripting.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/horde");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("url_func.inc");
    
    
    port = get_http_port(default:80);
    if (!can_host_php(port:port)) exit(0);
    if (get_kb_item("www/"+port+"/generic_xss")) exit(0, "The web server on port "+port+" is prone to XSS.");
    
    
    # A simple (and invalid) alert.
    xss = string("javascript:alert(", SCRIPT_NAME, ")");
    
    
    # Test an install.
    install = get_kb_item(string("www/", port, "/horde"));
    if (isnull(install)) exit(0, "Horde was not detected on port "+port);
    matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
    if (!isnull(matches))
    {
      dir = matches[2];
    
      # Try to exploit the issue to read a file.
      #
      # nb: Horde 3.x uses "/services"; Horde 2.x, "/util".
      foreach subdir (make_list("/services", "/util"))
      {
        r = http_send_recv3(method:"GET", 
          item:string(
            dir, subdir, "/go.php?",
            "url=", urlencode(str:string("http://www.example.com/;url=", xss))
          ), 
          port:port
        );
        if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond");
        res = strcat(r[0], r[1], '\r\n', r[2]);
    
        # There's a problem if our XSS appears in the redirect.
        if (string("Refresh: 0; URL=http://www.example.com/;url=", xss) >< res)
        {
          security_warning(port);
          set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
          exit(0);
        }
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1406.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only.
    last seen2020-06-01
    modified2020-06-02
    plugin id28151
    published2007-11-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28151
    titleDebian DSA-1406-1 : horde3 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1406. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28151);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549", "CVE-2006-4256", "CVE-2007-1473", "CVE-2007-1474");
      script_xref(name:"DSA", value:"1406");
    
      script_name(english:"Debian DSA-1406-1 : horde3 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several remote vulnerabilities have been discovered in the Horde web
    application framework. The Common Vulnerabilities and Exposures
    project identifies the following problems :
    
      - CVE-2006-3548
        Moritz Naumann discovered that Horde allows remote
        attackers to inject arbitrary web script or HTML in the
        context of a logged in user (cross site scripting).
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2006-3549
        Moritz Naumann discovered that Horde does not properly
        restrict its image proxy, allowing remote attackers to
        use the server as a proxy.
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2006-4256
        Marc Ruef discovered that Horde allows remote attackers
        to include web pages from other sites, which could be
        useful for phishing attacks.
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2007-1473
        Moritz Naumann discovered that Horde allows remote
        attackers to inject arbitrary web script or HTML in the
        context of a logged in user (cross site scripting).
    
          This vulnerability applies to both stable (etch) and oldstable
          (sarge).
    
      - CVE-2007-1474
        iDefense discovered that the cleanup cron script in
        Horde allows local users to delete arbitrary files.
    
          This vulnerability applies to oldstable (sarge) only."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378281"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-3548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-3549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-4256"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1473"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1474"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2007/dsa-1406"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the horde3 package.
    
    For the old stable distribution (sarge) these problems have been fixed
    in version 3.0.4-4sarge6.
    
    For the stable distribution (etch) these problems have been fixed in
    version 3.1.3-4etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge6")) flag++;
    if (deb_check(release:"4.0", prefix:"horde3", reference:"3.1.3-4etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");