[horde] [SA44408] Horde Security Bypass and Script Insertion Vulnerabilities horde 3 ?
Jan Schneider
jan at horde.org
Thu May 5 12:44:18 UTC 2011
Zitat von Robert Schetterer <robert at schetterer.org>:
> Hi all,
>
> ---snip
>
>
> DESCRIPTION:
> A security issue and a vulnerability have been reported in Horde,
> which can be exploited by malicious users to conduct script insertion
> attacks and by malicious people to bypass certain security
> restrictions.
>
> 1) The security issue is caused due to an error in
> framework/Share/lib/Horde/Share/Object/Sql.php when checking the
> permission of guest users accessing shared resources and can be
> exploited to access potentially restricted resources.
>
> 2) The vulnerability is caused due to an error in
> framework/Text_Filter/lib/Horde/Text/Filter/Xss.php when sanitising
> input, which may result in some input not being sanitised. This can
> be exploited to insert arbitrary HTML and script code, which will be
> executed when the malicious data is being viewed.
>
> The security issue and the vulnerability are reported in version
> 4.0.1. Prior versions may also be affected.
>
> SOLUTION:
> Update to version 4.0.2.
>
> ---snipend
>
>
> will there be a fix for horde 3 branch too, or is it not afffected?
Not affected.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the horde
mailing list