n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.006 11-Sep-2008 ________________________________________________________________________ Vendor: The Horde Project, http://www.horde.org/ Affected Products: Horde >= 3.2, Horde <= 3.2.1 Vulnerability: Cross-Site Scripting in filename MIME attachments CVE: CVE-2008-3823 oCERT: oCERT-2008-012 Risk: CRITICAL ________________________________________________________________________ Vendor communication: 2008/07/25 Bug found and PoC preparation 2008/07/26 Vulnerability report submitted via oCert online-form 2008/08/05 oCert confirmed the submission. oCert starts the coordination of affected authors/vendors 2008/09/06 oCert informs all parties about the advisory release date 2008/09/11 n.runs AG releases this advisory in coordination with oCert ________________________________________________________________________ Overview: The Horde project is about creating high quality Open Source applications, based on PHP and the Horde Framework. The guiding principles of the Horde Project are to create solid standards-based applications using intelligent object-oriented design that, wherever possible, are designed to run on a wide range of platforms and backends. There is great emphasis on making Horde as friendly to non-English speakers as possible. The Horde Framework currently supports many localization features such as unicode and right-to-left text and generous users have contributed many translations for the framework and applications. Currently Horde Project boasts many applications, some already enterprise-ready and deployed in demanding environments, and some exciting new ones still in development. Description: The Horde Framework fails to properly sanitize the filename of MIME attachments on received emails. Impact: While a webmail user is viewing an email with a malicously prepared filename attachment, the attacker can highjack victim's account. This allows him to send emails on behalf of the victim or to do other arbitrary actions. Solution: For detailed information about the fixes, follow the link in the references section [1] of this document. ________________________________________________________________________ Credits: Bug found by Alexios Fakos of n.runs AG. Many thanks to Will Drewry of oCert team for the coordination and professional communication. ________________________________________________________________________ References: [1] http://www.ocert.org/advisories/ocert-2008-012.html This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php ________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/