Info

Disclosure

Mar 14, 2006

Discovery

Unknown

Dates

Exploit

Mar 15, 2006

Solution

Unknown

Description

Horde contains a flaw that may lead to an unauthorized information disclosure. The issue is due to go.php not properly sanitizing user input supplied to the 'url' variable. Embedding a NULL character within the 'url' variable enables an attacker to control the variable passed to readfile() function leading to the reading of any file on the file system with the privileges of the web server resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Horde Project

Horde

3.0.9

References

Security Tracker: 1015771
Bugtraq ID: 17117
Secunia Advisory ID: 19246 19528 19619 19692 19897
CVE ID: 2006-1260 (see also: NVD)
ISS X-Force ID: 25239
Milw0rm: 4850
Exploit Database: 4850
VUPEN Advisory: ADV-2006-0959
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0272.html
http://archives.neohapsis.com/archives/bugtraq/2006-03/0366.html
http://attrition.org/pipermail/vim/2008-January/001866.html
http://attrition.org/pipermail/vim/2008-January/001868.html
Other Advisory URL: http://www.debian.org/security/2006/dsa-1034
http://www.gentoo.org/security/en/glsa/glsa-200604-02.xml
Vendor URL: http://www.horde.org/
Vendor Specific Advisory URL: http://www.novell.com/linux/security/advisories/2006_04_28.html
http://www.us.debian.org/security/2006/dsa-1033

Credit

Paul Craig - paul.craigsecurity-assessment.com - Security-Assessment.com

Direct URL: http://osvdb.org/23918