Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.

Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-1260     Null characters in the URL parameter bypass a sanity     check, which allowed remote attackers to read arbitrary     files, which allowed information disclosure.

  - CVE-2006-1491     User input in the help viewer was passed unsanitised to     the eval() function, which allowed injection of     arbitrary web code.

Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-4190     Several Cross-Site-Scripting vulnerabilities have been     discovered in the 'share edit window'.

  - CVE-2006-1260     Null characters in the URL parameter bypass a sanity     check, which allowed remote attackers to read arbitrary     files, which allowed information disclosure.

  - CVE-2006-1491     User input in the help viewer was passed unsanitised to     the eval() function, which allowed injection of     arbitrary web code.

The remote host is affected by the vulnerability described in GLSA-200604-02 (Horde Application Framework: Remote code execution)

    Jan Schneider of the Horde team discovered a vulnerability in the     help viewer of the Horde Application Framework that could allow remote     code execution (CVE-2006-1491). Paul Craig reported that     'services/go.php' fails to validate the passed URL parameter correctly     (CVE-2006-1260).
  Impact :

    An attacker could exploit the vulnerability in the help viewer to     execute arbitrary code with the privileges of the web server user. By     embedding a NULL character in the URL parameter, an attacker could     exploit the input validation issue in go.php to read arbitrary files.
  Workaround :

    There are no known workarounds at this time.

The remote web server contains a PHP application that is affected by an information disclosure flaw.  The version of Horde installed on the remote host fails to validate input to the 'url' parameter of the 'services/go.php' script before using it to read files and return their contents.  An unauthenticated attacker may be able to leverage this issue to retrieve the contents of arbitrary files on the affected host subject to the privileges of the web server user ID.  This can result in the disclosure of authentication credentials used by the affected application as well as other sensitive information.  Note that successful exploitation of this issue seems to require that PHP's 'magic_quotes_gpc' be disabled, although this has not been confirmed by the vendor.

The version of Horde installed on the remote host fails to validate input to the 'url' parameter of the 'services/go.php' script before using it to read files and return their contents.  An unauthenticated attacker may be able to leverage this issue to retrieve the contents of arbitrary files on the affected host subject to the privileges of the web server user id.  This can result in the disclosure of authentication credentials used by the affected application as well as other sensitive information. 

Note that successful exploitation of this issue seems to require that PHP's 'magic_quotes_gpc' be disabled, although this has not been confirmed by the vendor.

ID	Name	Product	Family	Severity
22576	Debian DSA-1034-1 : horde2 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22575	Debian DSA-1033-1 : horde3 - several vulnerabilities	Nessus	Debian Local Security Checks	high
21195	GLSA-200604-02 : Horde Application Framework: Remote code execution	Nessus	Gentoo Local Security Checks	high
3477	Horde < 3.1 go.php url Parameter File Disclosure	Nessus Network Monitor	CGI	medium
21081	Horde go.php url Parameter Arbitrary File Access	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2006-1260

high

Tenable Plugins

high

high

high

medium

medium