[horde] [SA44408] Horde Security Bypass and Script Insertion Vulnerabilities horde 3 ?

Robert Schetterer robert at schetterer.org
Thu May 5 13:32:02 UTC 2011


Am 05.05.2011 14:44, schrieb Jan Schneider:
> 
> Zitat von Robert Schetterer <robert at schetterer.org>:
> 
>> Hi all,
>>
>> ---snip
>>
>>
>> DESCRIPTION:
>> A security issue and a vulnerability have been reported in Horde,
>> which can be exploited by malicious users to conduct script insertion
>> attacks and by malicious people to bypass certain security
>> restrictions.
>>
>> 1) The security issue is caused due to an error in
>> framework/Share/lib/Horde/Share/Object/Sql.php when checking the
>> permission of guest users accessing shared resources and can be
>> exploited to access potentially restricted resources.
>>
>> 2) The vulnerability is caused due to an error in
>> framework/Text_Filter/lib/Horde/Text/Filter/Xss.php when sanitising
>> input, which may result in some input not being sanitised. This can
>> be exploited to insert arbitrary HTML and script code, which will be
>> executed when the malicious data is being viewed.
>>
>> The security issue and the vulnerability are reported in version
>> 4.0.1. Prior versions may also be affected.
>>
>> SOLUTION:
>> Update to version 4.0.2.
>>
>> ---snipend
>>
>>
>> will there be a fix for horde 3 branch too, or is it not afffected?
> 
> Not affected.
> 
> Jan.
> 
thx for info

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria


More information about the horde mailing list