Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22969
HistoryDec 17, 2009 - 12:00 a.m.

[ISecAuditors Security Advisories] Horde 3.3.5 "PHP_SELF" Cross-Site Scripting vulnerability

2009-12-1700:00:00
vulners.com
18

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-012

  • Original release date: October 13th, 2009
  • Last revised: December 16th, 2009
  • Discovered by: Juan Galiana Lara
  • CVE ID: CVE-2009-3701
  • Severity: 6.3/10 (CVSS Base Score)
    =============================================

I. VULNERABILITY

Horde 3.3.5 "PHP_SELF" Cross-Site Scripting vulnerability

II. BACKGROUND

The Horde Application Framework is a modular, general-purpose web
application framework written in PHP. It provides an extensive array
of classes that are targeted at the common problems and tasks involved
in developing modern web applications.

III. DESCRIPTION

Input passed to 'PHP_SELF' variable is not properly filtered before
being returned to the user. This can be explotied to inject arbitrary
HTML or to execute arbitrary script code in a user's browser session
in context of an affected site. In order to successfully exploit this
vulnerability the targeted user has to be logged as an administrator.

horde-3.3.5/admin/cmdshell.php:46:<form action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="post">
horde-3.3.5/admin/sqlshell.php:29:<form name="sqlshell" action="<?php
echo $_SERVER['PHP_SELF'] ?>" method="post">
horde-3.3.5/admin/phpshell.php:42:<form action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="post">

In order to filter the "PHP_SELF" variable, the htmlspecialchars
function has to be used, like in
'horde-3.3.5/templates/shares/edit.inc' file:

horde-3.3.5/templates/shares/edit.inc:1:<form name="edit"
method="post" action="<?php echo
htmlspecialchars($_SERVER['PHP_SELF']) ?>">

IV. PROOF OF CONCEPT

This PoC will show an alert with the text "xss"

http://site/horde-3.3.5/admin/phpshell.php/&#37;22&#37;3E&#37;3Cscript&#37;3Ealert&#37;288&#37;29;&#37;3C/script&#37;3E&#37;3Cform&#37;20/?Horde=&lt;sessid&gt;
http://site/horde-3.3.5/admin/cmdshell.php/&#37;22&#37;3E&#37;3Cscript&#37;3Ealert&#37;288&#37;29;&#37;3C/script&#37;3E&#37;3Cform&#37;20/?Horde=&lt;sessid&gt;
http://site/horde-3.3.5/admin/sqlshell.php/&#37;22&#37;3E&#37;3Cscript&#37;3Ealert&#37;288&#37;29;&#37;3C/script&#37;3E&#37;3Cform&#37;20/?Horde=&lt;sessid&gt;

V. BUSINESS IMPACT

Is possible to execute arbitrary HTML or script code in a targeted
user's browser. Only works with administration sessions.

VI. SYSTEMS AFFECTED

Horde 3.3.5 is vulnerable, others may be affected.

VII. SOLUTION

Upgrade to version 3.3.6

VIII. REFERENCES

http://www.horde.org
http://lists.horde.org/archives/announce/2009/000529.html
http://www.isecauditors.com

IX. CREDITS

This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY

October 13, 2009: Initial release
October 19, 2009: Added CVE id.
December 13, 2009: Revision.
December 16, 2009: Las revision.

XI. DISCLOSURE TIMELINE

October 13, 2009: Vulnerability discovered by
Internet Security Auditors.
October 13, 2009: Sent to developers.
The issue is considered hard to exploit and
solution is delayed.
December 13, 2009: Second contact for correction plan.
December 15, 2009: New release published.
December 16, 2009: Sent to public lists.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.