Vulnerabilities > CVE-2006-3549 - Cross-Site Scripting vulnerability in Horde Application Framework Services

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
horde
nessus

Summary

services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_HORDE-1868.NASL
    descriptionThis update fixes the following two security issues in the Horde Application Framework : - CVE-2006-3548: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a (1) JavaScript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a JavaScript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). - CVE-2006-3549: services/go.php does not properly restrict its image proxy capability, which allows remote attackers to perform
    last seen2020-06-01
    modified2020-06-02
    plugin id27265
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27265
    titleopenSUSE 10 Security Update : horde (horde-1868)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update horde-1868.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27265);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549");
    
      script_name(english:"openSUSE 10 Security Update : horde (horde-1868)");
      script_summary(english:"Check for the horde-1868 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following two security issues in the Horde
    Application Framework :
    
      - CVE-2006-3548: Multiple cross-site scripting (XSS)
        vulnerabilities allow remote attackers to inject
        arbitrary web script or HTML via a (1) JavaScript URI or
        an external (2) http, (3) https, or (4) ftp URI in the
        url parameter in services/go.php (aka the dereferrer),
        (5) a JavaScript URI in the module parameter in
        services/help (aka the help viewer), and (6) the name
        parameter in services/problem.php (aka the problem
        reporting screen).
    
      - CVE-2006-3549: services/go.php does not properly
        restrict its image proxy capability, which allows remote
        attackers to perform 'Web tunneling' attacks and use the
        server as a proxy via (1) http, (2) https, and (3) ftp
        URL in the url parameter, which is requested from the
        server."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected horde package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:horde");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"horde-3.0.9-19.4") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "horde");
    }
    
  • NASL familyCGI abuses : XSS
    NASL idHORDE_URL_XSS.NASL
    descriptionThe version of Horde installed on the remote host fails to validate input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id22004
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22004
    titleHorde < 3.0.11 / 3.1.2 Multiple Script XSS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22004);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/15 20:50:19");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549");
      script_bugtraq_id(18845);
    
      script_name(english:"Horde < 3.0.11 / 3.1.2 Multiple Script XSS");
      script_summary(english:"Tries to exploit an XSS flaw in Horde's services/go.php");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP script that is affected by
    multiple cross-site scripting vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Horde installed on the remote host fails to validate
    input to the 'url' parameter of the 'services/go.php' script before
    using it in dynamically-generated content.  An unauthenticated
    attacker may be able to leverage this issue to inject arbitrary HTML
    and script code into a user's browser. 
    
    In addition, similar cross-site scripting issues reportedly exist with
    the 'module' parameter of the 'services/help/index.php' script and the
    'name' parameter of the 'services/problem.php' script.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jul/91");
      script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000287.html");
      script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2006/000288.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Horde 3.0.11 / 3.1.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"plugin_publication_date", value: "2006/07/05");
      script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/05");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework");
      script_end_attributes();
     
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses : XSS");
     
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
    
      script_dependencies("horde_detect.nasl", "cross_site_scripting.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/horde");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("url_func.inc");
    
    
    port = get_http_port(default:80);
    if (!can_host_php(port:port)) exit(0);
    if (get_kb_item("www/"+port+"/generic_xss")) exit(0, "The web server on port "+port+" is prone to XSS.");
    
    
    # A simple (and invalid) alert.
    xss = string("javascript:alert(", SCRIPT_NAME, ")");
    
    
    # Test an install.
    install = get_kb_item(string("www/", port, "/horde"));
    if (isnull(install)) exit(0, "Horde was not detected on port "+port);
    matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
    if (!isnull(matches))
    {
      dir = matches[2];
    
      # Try to exploit the issue to read a file.
      #
      # nb: Horde 3.x uses "/services"; Horde 2.x, "/util".
      foreach subdir (make_list("/services", "/util"))
      {
        r = http_send_recv3(method:"GET", 
          item:string(
            dir, subdir, "/go.php?",
            "url=", urlencode(str:string("http://www.example.com/;url=", xss))
          ), 
          port:port
        );
        if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond");
        res = strcat(r[0], r[1], '\r\n', r[2]);
    
        # There's a problem if our XSS appears in the redirect.
        if (string("Refresh: 0; URL=http://www.example.com/;url=", xss) >< res)
        {
          security_warning(port);
          set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
          exit(0);
        }
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1406.NASL
    descriptionSeveral remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only.
    last seen2020-06-01
    modified2020-06-02
    plugin id28151
    published2007-11-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28151
    titleDebian DSA-1406-1 : horde3 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1406. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28151);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-3548", "CVE-2006-3549", "CVE-2006-4256", "CVE-2007-1473", "CVE-2007-1474");
      script_xref(name:"DSA", value:"1406");
    
      script_name(english:"Debian DSA-1406-1 : horde3 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several remote vulnerabilities have been discovered in the Horde web
    application framework. The Common Vulnerabilities and Exposures
    project identifies the following problems :
    
      - CVE-2006-3548
        Moritz Naumann discovered that Horde allows remote
        attackers to inject arbitrary web script or HTML in the
        context of a logged in user (cross site scripting).
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2006-3549
        Moritz Naumann discovered that Horde does not properly
        restrict its image proxy, allowing remote attackers to
        use the server as a proxy.
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2006-4256
        Marc Ruef discovered that Horde allows remote attackers
        to include web pages from other sites, which could be
        useful for phishing attacks.
    
          This vulnerability applies to oldstable (sarge) only.
    
      - CVE-2007-1473
        Moritz Naumann discovered that Horde allows remote
        attackers to inject arbitrary web script or HTML in the
        context of a logged in user (cross site scripting).
    
          This vulnerability applies to both stable (etch) and oldstable
          (sarge).
    
      - CVE-2007-1474
        iDefense discovered that the cleanup cron script in
        Horde allows local users to delete arbitrary files.
    
          This vulnerability applies to oldstable (sarge) only."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378281"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-3548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-3549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-4256"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1473"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1474"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2007/dsa-1406"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the horde3 package.
    
    For the old stable distribution (sarge) these problems have been fixed
    in version 3.0.4-4sarge6.
    
    For the stable distribution (etch) these problems have been fixed in
    version 3.1.3-4etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge6")) flag++;
    if (deb_check(release:"4.0", prefix:"horde3", reference:"3.1.3-4etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");