Horde Application Framework: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200805-01 / horde |
| Release Date |
May 05, 2008 |
| Latest Revision |
May 05, 2008: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| www-apps/horde |
<
3.1.7 |
>=
3.1.7 |
All supported architectures
|
| www-apps/horde-groupware |
<
1.0.5 |
>=
1.0.5 |
All supported architectures
|
| www-apps/horde-kronolith |
<
2.1.7 |
>=
2.1.7 |
All supported architectures
|
| www-apps/horde-mnemo |
<
2.1.2 |
>=
2.1.2 |
All supported architectures
|
| www-apps/horde-nag |
<
2.1.4 |
>=
2.1.4 |
All supported architectures
|
| www-apps/horde-webmail |
<
1.0.6 |
>=
1.0.6 |
All supported architectures
|
Related bugreports:
#212635, #213493
Synopsis
Multiple vulnerabilities in the Horde Application Framework may lead to the
execution of arbitrary files, information disclosure, and allow a remote
attacker to bypass security restrictions.
2.
Impact Information
Background
The Horde Application Framework is a general-purpose web application
framework written in PHP, providing classes for handling preferences,
compression, browser detection, connection tracking, MIME and more.
Description
Multiple vulnerabilities have been reported in the Horde Application
Framework:
- David Collins, Patrick Pelanne and the
HostGator.com LLC support team discovered that the theme preference
page does not sanitize POST variables for several options, allowing the
insertion of NULL bytes and ".." sequences (CVE-2008-1284).
- An
error exists in the Horde API allowing users to bypass security
restrictions.
Impact
The first vulnerability can be exploited by a remote attacker to read
arbitrary files and by remote authenticated attackers to execute
arbitrary files. The second vulnerability can be exploited by
authenticated remote attackers to perform restricted operations.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Horde Application Framework users should upgrade to the latest
version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.7"
|
All horde-groupware users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.0.5"
|
All horde-kronolith users should upgrade to the latest version:
Code Listing 3.3: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-2.1.7"
|
All horde-mnemo users should upgrade to the latest version:
Code Listing 3.4: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-2.1.2"
|
All horde-nag users should upgrade to the latest version:
Code Listing 3.5: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-nag-2.1.4"
|
All horde-webmail users should upgrade to the latest version:
Code Listing 3.6: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.0.6"
|
4.
References
|
