Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer.

Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-1260     Null characters in the URL parameter bypass a sanity     check, which allowed remote attackers to read arbitrary     files, which allowed information disclosure.

  - CVE-2006-1491     User input in the help viewer was passed unsanitised to     the eval() function, which allowed injection of     arbitrary web code.

Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-4190     Several Cross-Site-Scripting vulnerabilities have been     discovered in the 'share edit window'.

  - CVE-2006-1260     Null characters in the URL parameter bypass a sanity     check, which allowed remote attackers to read arbitrary     files, which allowed information disclosure.

  - CVE-2006-1491     User input in the help viewer was passed unsanitised to     the eval() function, which allowed injection of     arbitrary web code.

Horde 3.1.1 release announcement :

Major changes compared to Horde 3.1 are :

- Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.

The remote host is affected by the vulnerability described in GLSA-200604-02 (Horde Application Framework: Remote code execution)

    Jan Schneider of the Horde team discovered a vulnerability in the     help viewer of the Horde Application Framework that could allow remote     code execution (CVE-2006-1491). Paul Craig reported that     'services/go.php' fails to validate the passed URL parameter correctly     (CVE-2006-1260).
  Impact :

    An attacker could exploit the vulnerability in the help viewer to     execute arbitrary code with the privileges of the web server user. By     embedding a NULL character in the URL parameter, an attacker could     exploit the input validation issue in go.php to read arbitrary files.
  Workaround :

    There are no known workarounds at this time.

The remote web server contains a PHP application that allows execution of arbitrary PHP code.  The version of Horde installed on the remote host fails to sanitize user-supplied input before using it in the Help viewer to evaluate code.  An unauthenticated attacker could exploit this flaw to execute arbitrary command on the remote host subject to the privileges of the web server user ID.

The version of Horde installed on the remote host fails to sanitize user-supplied input before using it in the Help viewer to evaluate code.  An unauthenticated attacker could exploit this flaw to execute arbitrary command on the remote host subject to the privileges of the web server user id.

ID	Name	Product	Family	Severity
22576	Debian DSA-1034-1 : horde2 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22575	Debian DSA-1033-1 : horde3 - several vulnerabilities	Nessus	Debian Local Security Checks	high
21406	FreeBSD : horde -- remote code execution vulnerability in the help viewer (2db97aa6-be81-11da-9b82-0050bf27ba24)	Nessus	FreeBSD Local Security Checks	high
21195	GLSA-200604-02 : Horde Application Framework: Remote code execution	Nessus	Gentoo Local Security Checks	high
3490	Horde < 3.1.1 Help Viewer Code Execution	Nessus Network Monitor	CGI	high
21164	Horde Help Viewer Arbitrary Code Execution	Nessus	CGI abuses	high

Detections

Analytics

CVE-2006-1491

critical

Tenable Plugins

high

high

high

high

high

high