Vulnerabilities > CVE-2006-3549 - Unspecified vulnerability in Horde Application Framework
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN horde
nessus
Summary
services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.
Vulnerable Configurations
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_HORDE-1868.NASL description This update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform last seen 2020-06-01 modified 2020-06-02 plugin id 27265 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27265 title openSUSE 10 Security Update : horde (horde-1868) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update horde-1868. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27265); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-3548", "CVE-2006-3549"); script_name(english:"openSUSE 10 Security Update : horde (horde-1868)"); script_summary(english:"Check for the horde-1868 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform 'Web tunneling' attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server." ); script_set_attribute(attribute:"solution", value:"Update the affected horde package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:horde"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"horde-3.0.9-19.4") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "horde"); }NASL family CGI abuses : XSS NASL id HORDE_URL_XSS.NASL description The version of Horde installed on the remote host fails to validate input to the last seen 2020-06-01 modified 2020-06-02 plugin id 22004 published 2006-07-05 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22004 title Horde < 3.0.11 / 3.1.2 Multiple Script XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22004); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2006-3548", "CVE-2006-3549"); script_bugtraq_id(18845); script_name(english:"Horde < 3.0.11 / 3.1.2 Multiple Script XSS"); script_summary(english:"Tries to exploit an XSS flaw in Horde's services/go.php"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is affected by multiple cross-site scripting vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Horde installed on the remote host fails to validate input to the 'url' parameter of the 'services/go.php' script before using it in dynamically-generated content. An unauthenticated attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser. In addition, similar cross-site scripting issues reportedly exist with the 'module' parameter of the 'services/help/index.php' script and the 'name' parameter of the 'services/problem.php' script."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jul/91"); script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000287.html"); script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000288.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Horde 3.0.11 / 3.1.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2006/07/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/05"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses : XSS"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("horde_detect.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/horde"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); if (get_kb_item("www/"+port+"/generic_xss")) exit(0, "The web server on port "+port+" is prone to XSS."); # A simple (and invalid) alert. xss = string("javascript:alert(", SCRIPT_NAME, ")"); # Test an install. install = get_kb_item(string("www/", port, "/horde")); if (isnull(install)) exit(0, "Horde was not detected on port "+port); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Try to exploit the issue to read a file. # # nb: Horde 3.x uses "/services"; Horde 2.x, "/util". foreach subdir (make_list("/services", "/util")) { r = http_send_recv3(method:"GET", item:string( dir, subdir, "/go.php?", "url=", urlencode(str:string("http://www.example.com/;url=", xss)) ), port:port ); if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond"); res = strcat(r[0], r[1], '\r\n', r[2]); # There's a problem if our XSS appears in the redirect. if (string("Refresh: 0; URL=http://www.example.com/;url=", xss) >< res) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1406.NASL description Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only. last seen 2020-06-01 modified 2020-06-02 plugin id 28151 published 2007-11-12 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28151 title Debian DSA-1406-1 : horde3 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1406. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(28151); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-3548", "CVE-2006-3549", "CVE-2006-4256", "CVE-2007-1473", "CVE-2007-1474"); script_xref(name:"DSA", value:"1406"); script_name(english:"Debian DSA-1406-1 : horde3 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378281" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383416" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3548" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3549" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-4256" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1473" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1474" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1406" ); script_set_attribute( attribute:"solution", value: "Upgrade the horde3 package. For the old stable distribution (sarge) these problems have been fixed in version 3.0.4-4sarge6. For the stable distribution (etch) these problems have been fixed in version 3.1.3-4etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge6")) flag++; if (deb_check(release:"4.0", prefix:"horde3", reference:"3.1.3-4etch1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://lists.horde.org/archives/announce/2006/000287.html
- http://lists.horde.org/archives/announce/2006/000287.html
- http://lists.horde.org/archives/announce/2006/000288.html
- http://lists.horde.org/archives/announce/2006/000288.html
- http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
- http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
- http://secunia.com/advisories/20954
- http://secunia.com/advisories/20954
- http://secunia.com/advisories/21459
- http://secunia.com/advisories/21459
- http://secunia.com/advisories/27565
- http://secunia.com/advisories/27565
- http://securityreason.com/securityalert/1229
- http://securityreason.com/securityalert/1229
- http://securitytracker.com/id?1016442
- http://securitytracker.com/id?1016442
- http://www.debian.org/security/2007/dsa-1406
- http://www.debian.org/security/2007/dsa-1406
- http://www.novell.com/linux/security/advisories/2006_19_sr.html
- http://www.novell.com/linux/security/advisories/2006_19_sr.html
- http://www.securityfocus.com/archive/1/439255/100/0/threaded
- http://www.securityfocus.com/archive/1/439255/100/0/threaded
- http://www.securityfocus.com/bid/18845
- http://www.securityfocus.com/bid/18845
- http://www.vupen.com/english/advisories/2006/2694
- http://www.vupen.com/english/advisories/2006/2694