[horde] [SA44408] Horde Security Bypass and Script Insertion Vulnerabilities horde 3 ?
Robert Schetterer
robert at schetterer.org
Thu May 5 10:14:17 UTC 2011
Hi all,
---snip
DESCRIPTION:
A security issue and a vulnerability have been reported in Horde,
which can be exploited by malicious users to conduct script insertion
attacks and by malicious people to bypass certain security
restrictions.
1) The security issue is caused due to an error in
framework/Share/lib/Horde/Share/Object/Sql.php when checking the
permission of guest users accessing shared resources and can be
exploited to access potentially restricted resources.
2) The vulnerability is caused due to an error in
framework/Text_Filter/lib/Horde/Text/Filter/Xss.php when sanitising
input, which may result in some input not being sanitised. This can
be exploited to insert arbitrary HTML and script code, which will be
executed when the malicious data is being viewed.
The security issue and the vulnerability are reported in version
4.0.1. Prior versions may also be affected.
SOLUTION:
Update to version 4.0.2.
---snipend
will there be a fix for horde 3 branch too, or is it not afffected?
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
More information about the horde
mailing list