Bug 81531 (CVE-2005-1319)

Summary: VUL-0: CVE-2005-1319: horde XSS
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1319: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-05-02 10:56:40 UTC 
We received the following report via full-disclosure.
The issue is public.

Date: Sun, 1 May 2005 12:10:12 -0400
From: Luke Macken <lewk@gentoo.org>
To: gentoo-announce@gentoo.org
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
	security-alerts@linuxsecurity.com
Subject: [Full-disclosure] [ GLSA 200505-01 ] Horde Framework: Multiple XSS
	vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: Horde Framework: Multiple XSS vulnerabilities
      Date: May 01, 2005
      Bugs: #90365
        ID: 200505-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Various modules of the Horde Framework are vulnerable to multiple
cross-site scripting (XSS) vulnerabilities.

Background
==========

The Horde Framework is a PHP based framework for building web
applications. It provides many modules including calendar, address
book, CVS viewer and Internet Messaging Program.

Affected packages
=================

    -------------------------------------------------------------------
     Package                   /  Vulnerable  /             Unaffected
    -------------------------------------------------------------------
  1  www-apps/horde-vacation        < 2.2.2                   >= 2.2.2
  2  www-apps/horde-turba           < 1.2.5                   >= 1.2.5
  3  www-apps/horde-passwd          < 2.2.2                   >= 2.2.2
  4  www-apps/horde-nag             < 1.1.3                   >= 1.1.3
  5  www-apps/horde-mnemo           < 1.1.4                   >= 1.1.4
  6  www-apps/horde-kronolith       < 1.1.4                   >= 1.1.4
  7  www-apps/horde-imp             < 3.2.8                   >= 3.2.8
  8  www-apps/horde-accounts        < 2.1.2                   >= 2.1.2
  9  www-apps/horde-forwards        < 2.2.2                   >= 2.2.2
 10  www-apps/horde-chora           < 1.2.3                   >= 1.2.3
 11  www-apps/horde                 < 2.2.8                   >= 2.2.8
    -------------------------------------------------------------------
     11 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Cross-site scripting vulnerabilities have been discovered in various
modules of the Horde Framework.

Impact
======

These vulnerabilities could be exploited by an attacker to execute
arbitrary HTML and script code in context of the victim's browser.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Horde users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"

All Horde Vacation users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-vacation-2.2.2"

All Horde Turba users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-turba-1.2.5"

All Horde Passwd users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-passwd-2.2.2"

All Horde Nag users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-nag-1.1.3"

All Horde Mnemo users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-1.1.4"

All Horde Kronolith users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
    # ">=www-apps/horde-kronolith-1.1.4"

All Horde IMP users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-imp-3.2.8"

All Horde Accounts users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-accounts-2.1.2"

All Horde Forwards users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-forwards-2.2.2"

All Horde Chora users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/horde-chora-1.2.3"

References
==========

  [ 1 ] Horde Announcement
        http://marc.theaimsgroup.com/?l=horde-announce&r=1&b=200504&w=2

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Comment 1 Michal Čihař 2005-05-04 12:43:30 UTC 
Are there any details available where the XSS is? Or should I update to current
version?
Comment 2 Ludwig Nussel 2005-05-04 13:10:42 UTC 
I'm not familiar with horde. If the upstream maintainers provide a patch then 
it's easy. If not you'll have to diff the versions with and without the fix 
yourself to find out where the problem is.
Comment 3 Michal Čihař 2005-05-04 13:24:47 UTC 
There is no patch available just mention in changelogs not giving any detils.
Comment 4 Michal Čihař 2005-05-04 13:25:00 UTC 
There is no patch available just mention in changelogs not giving any details.
Comment 5 Michal Čihař 2005-05-09 13:36:14 UTC 
Affected code seems to be only on 9.1, 9.2 and SLES 9 based products.
Comment 6 Michal Čihař 2005-05-09 13:55:35 UTC 
Horde packages submited, I'm going to check IMP, which is said also to be
vulnerable.
Comment 7 Michal Čihař 2005-05-09 14:13:20 UTC 
IMP packages also submitted.
Comment 8 Ludwig Nussel 2005-05-09 15:15:05 UTC 
Confusing. 
- horde was not shipped on 9.1, only 9.2 and sles9 
- the string length check thing in 9.3 has no meaning in php itself, right? So 
no need to update 9.3!? 
- which module exactly is affected by the XSS? There are 10 CAN numbers but 
you only added a patch that changes one file. 
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=horde
Comment 9 Ludwig Nussel 2005-05-09 15:15:56 UTC 
SM-Tracker-1141
Comment 10 Ludwig Nussel 2005-05-09 15:19:33 UTC 
One more thing, imp was never on any product we shipped.
Comment 11 Michael Schröder 2005-05-10 17:04:46 UTC 
Patchinfo?
Comment 12 Ludwig Nussel 2005-05-11 07:16:05 UTC 
*grmbl* Michal was not in CC anymore. I need answers to #8 before creating 
patchinfos.
Comment 13 Michal Čihař 2005-05-11 08:32:01 UTC 
Sorry for not keeping me in CC.

I didn't know it was never shipped, why do we have such package?

There were several XSS in each Horde module from which we have just Horde and
IMP. For Horde itself it's CAN-2005-0961, for IMP it's CAN-2005-1319.
Comment 14 Michal Čihař 2005-05-11 08:33:04 UTC 
Forgot to check checbox :-)
Comment 15 Ludwig Nussel 2005-05-11 08:37:58 UTC 
Ok, thanks. Therefore horde updates for CAN-2005-0961 will be done for 9.1,  
9.2 and sles9.  
  
I don't know what imp is good for, you are the maintainer :-) is_maintained  
says it was not shipped. So maybe it can be dropped.
Comment 16 Marcus Meissner 2005-06-15 15:50:19 UTC 
updates released.
Comment 17 Marcus Meissner 2005-06-17 13:57:34 UTC 
was not released for 9.1 ... because 9.1 did not include horde ... all other 
distros did for some reason.
Comment 18 Thomas Biege 2009-10-13 21:21:08 UTC 
CVE-2005-1319: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)