FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

horde -- Phishing and Cross-Site Scripting Vulnerabilities

Affected packages
horde <= 3.1.2
imp <= 4.1.2

Details

VuXML ID e2e8d374-2e40-11db-b683-0008743bf21a
Discovery 2006-08-17
Entry 2006-08-17

Secunia reports:

Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.

  1. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site.
  2. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
[source]

References

Bugtraq ID 19544
Bugtraq ID 19557
URL http://lists.horde.org/archives/announce/2006/000292.html
URL http://secunia.com/advisories/21500/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.