Hyperdose Security Advisory

Name: Cross Site Scripting holes found in Horde 3.0
Systems Affected: Horde 3.0 installations
Severity: Moderate
Author: Robert Fly - robfly@hyperdose.com
Advisory URL: http://www.hyperdose.com/advisories/H2005-01.txt

--Horde Description--
The Horde Application Framework is a general-purpose web application framework in PHP, providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME handling, and more.

--Bug Details--
Horde contains two XSS attacks that can be exploited through GET requests.  
Once exploited, these requests could be used to execute any javascript commands in the context of that user, potentially including but not limited to reading and deleting email, and stealing auth tokens.  Here are two example URLs with simple exploits.
  */prefs.php?group=columns"><script>alert(document.domain)</script>&app=turba
  */index.php?url=http%3A%2F%2Fserver.com%2Findex.php"%20onload="javascript:alert(document.domain)"&frameset=0

--Fix Information--
Horde.org has released a new install to fix these issues.  These issues are fixed in version 3.0.1, although v3.0.2, which contains the fix has already been released.  Kudos to them as they fixed these vulnerabilities within a few hours of our original email.  GZ below:

http://ftp.horde.org/pub/horde/horde-3.0.2.tar.gz

NOTE: Per Horde team, this vulnerability does not exist in v2.0


--About Hyperdose--
Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle.  We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com