Vulnerabilities > CVE-2007-1473 - Cross-Site Scripting vulnerability in Horde Framework Login.PHP
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php.
Vulnerable Configurations
Exploit-Db
| description | Horde Framework 3.1.3 Login.PHP Cross-Site Scripting Vulnerability. CVE-2007-1473 . Webapps exploit for php platform |
| id | EDB-ID:29745 |
| last seen | 2016-02-03 |
| modified | 2007-03-15 |
| published | 2007-03-15 |
| reporter | Moritz Naumann |
| source | https://www.exploit-db.com/download/29745/ |
| title | Horde Framework <= 3.1.3 Login.PHP Cross-Site Scripting Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE9_11488.NASL description This update fixes a cross-site scripting bug (XSS) in horde. (CVE-2007-1473) last seen 2020-06-01 modified 2020-06-02 plugin id 41123 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41123 title SuSE9 Security Update : horde (YOU Patch Number 11488) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41123); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-1473"); script_name(english:"SuSE9 Security Update : horde (YOU Patch Number 11488)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a cross-site scripting bug (XSS) in horde. (CVE-2007-1473)" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2007-1473/" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 11488."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"horde-2.2.5-63.19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_HORDE-3089.NASL description This udpate fixes a cross site scripting bug (XSS) in horde (CVE-2007-1473). last seen 2020-06-01 modified 2020-06-02 plugin id 27266 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27266 title openSUSE 10 Security Update : horde (horde-3089) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update horde-3089. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27266); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-1473"); script_name(english:"openSUSE 10 Security Update : horde (horde-3089)"); script_summary(english:"Check for the horde-3089 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This udpate fixes a cross site scripting bug (XSS) in horde (CVE-2007-1473)." ); script_set_attribute(attribute:"solution", value:"Update the affected horde package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:horde"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"horde-3.0.9-19.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"horde-3.1.3-22") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "horde"); }NASL family CGI abuses : XSS NASL id HORDE_NEW_LANG_XSS.NASL description The version of Horde installed on the remote host fails to sanitize input to the last seen 2020-06-01 modified 2020-06-02 plugin id 24817 published 2007-03-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24817 title Horde NLS.php Language Selection new_lang Parameter XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24817); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2007-1473"); script_bugtraq_id(22984); script_name(english:"Horde NLS.php Language Selection new_lang Parameter XSS"); script_summary(english:"Checks for an XSS flaw in Horde"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is vulnerable to a cross-site scripting attack."); script_set_attribute(attribute:"description", value: "The version of Horde installed on the remote host fails to sanitize input to the 'new_lang' parameter before using it in the 'framework/NLS/NLS.php' script to generate dynamic content. An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/Mar/241"); script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2007/000315.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Horde version 3.1.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/03/14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses : XSS"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("horde_detect.nasl", "imp_detect.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); port = get_http_port(default:80, php: 1, no_xss: 1); xss = string("alert('", SCRIPT_NAME, "');"); exploit = string('"><body onload="', xss); # Test possible installs. installs = make_list(); imp = get_kb_item(string("www/", port, "/imp")); if (imp) installs = make_list(installs, imp); horde = get_kb_item(string("www/", port, "/horde")); if (horde) { installs = make_list(installs, horde); if (thorough_tests) { matches = eregmatch(string:horde, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { horde_dir = matches[2]; apps = make_list( "chora", "dimp", "gollem", # "imp", "ingo", "kronolith", "mimp", "mnemo", "nag", "sork", "trean", "turba", "whups" ); foreach app (apps) installs = make_list(installs, string("unknown under ", horde_dir, "/", app)); } } } foreach install (installs) { matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Send a request to exploit the flaw. r = http_send_recv3(method:"GET", item:string( dir, "/login.php?", "new_lang=", urlencode(str:exploit) ), port:port, exit_on_fail: 1 ); res = r[2]; # There's a problem if our exploit as the language. exploit = str_replace(find:"_", replace:"-", string:exploit); if (string('<html lang="', exploit) >< res) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1406.NASL description Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only. last seen 2020-06-01 modified 2020-06-02 plugin id 28151 published 2007-11-12 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28151 title Debian DSA-1406-1 : horde3 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1406. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(28151); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-3548", "CVE-2006-3549", "CVE-2006-4256", "CVE-2007-1473", "CVE-2007-1474"); script_xref(name:"DSA", value:"1406"); script_name(english:"Debian DSA-1406-1 : horde3 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. - CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. - CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. - CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). - CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378281" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383416" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434045" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3548" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3549" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-4256" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1473" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1474" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1406" ); script_set_attribute( attribute:"solution", value: "Upgrade the horde3 package. For the old stable distribution (sarge) these problems have been fixed in version 3.0.4-4sarge6. For the stable distribution (etch) these problems have been fixed in version 3.1.3-4etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:horde3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"horde3", reference:"3.0.4-4sarge6")) flag++; if (deb_check(release:"4.0", prefix:"horde3", reference:"3.1.3-4etch1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://lists.horde.org/archives/announce/2007/000315.html
- http://secunia.com/advisories/24528
- http://secunia.com/advisories/24995
- http://secunia.com/advisories/27565
- http://securityreason.com/securityalert/2427
- http://securitytracker.com/id?1017775
- http://www.debian.org/security/2007/dsa-1406
- http://www.novell.com/linux/security/advisories/2007_007_suse.html
- http://www.osvdb.org/33084
- http://www.securityfocus.com/archive/1/462915/100/0/threaded
- http://www.securityfocus.com/bid/22984
- http://www.vupen.com/english/advisories/2007/0965
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33013