Detections
Analytics

Horde go.php url Parameter Arbitrary File Access

medium Nessus Plugin ID 21081

Language:

Synopsis

The remote web server contains a PHP application that is affected by an information disclosure flaw.

Description

The version of Horde installed on the remote host fails to validate input to the 'url' parameter of the 'services/go.php' script before using it to read files and return their contents. An unauthenticated attacker may be able to leverage this issue to retrieve the contents of arbitrary files on the affected host subject to the privileges of the web server user id. This can result in the disclosure of authentication credentials used by the affected application as well as other sensitive information.

Note that successful exploitation of this issue seems to require that PHP's 'magic_quotes_gpc' be disabled, although this has not been confirmed by the vendor.

Solution

Upgrade to Horde 3.1 or later.

See Also

http://www.nessus.org/u?c33a56f3

http://www.nessus.org/u?61ed5deb

Plugin Details

Severity: Medium

ID: 21081

File Name: horde_url_file_disclosure.nasl

Version: 1.23

Type: remote

Family: CGI abuses

Published: 3/15/2006

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:horde:horde_application_framework

Required KB Items: www/horde

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/14/2006

Reference Information

CVE: CVE-2006-1260

BID: 17117