Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Upgrade to 3.3.6 - Fixes a lot of security bugs

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200909-14 (Horde: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Horde:
    Gunnar Wrobel reported an input sanitation and directory traversal     flaw in framework/Image/Image.php, related to the 'Horde_Image driver     name' (CVE-2009-0932).
    Gunnar Wrobel reported that data sent     to horde/services/portal/cloud_search.php is not properly sanitized     before used in the output (CVE-2009-0931).
    It was reported     that data sent to framework/Text_Filter/Filter/xss.php is not properly     sanitized before used in the output (CVE-2008-5917).
    Horde Passwd: David Wharton reported that data sent via the 'backend'     parameter to passwd/main.php is not properly sanitized before used in     the output (CVE-2009-2360).
    Horde IMP: Gunnar Wrobel reported that data sent to smime.php, pgp.php,     and message.php is not properly sanitized before used in the output     (CVE-2009-0930).
  Impact :

    A remote authenticated attacker could exploit these vulnerabilities to     execute arbitrary PHP files on the server, or disclose the content of     arbitrary files, both only if the file is readable to the web server. A     remote authenticated attacker could conduct Cross-Site Scripting     attacks. NOTE: Some Cross-Site Scripting vectors are limited to the     usage of Microsoft Internet Explorer.
  Workaround :

    There is no known workaround at this time.

The version of Horde, Horde Groupware, or Horde Groupware Webmail Edition installed on the remote host fails to filter input to the 'driver' argument of the 'Horde_Image: : factory' method before using it to include PHP code in 'lib/Horde/Image.php'.  Regardless of PHP's 'register_globals' and 'magic_quotes_gpc' settings, an unauthenticated attacker can exploit this issue to view arbitrary files or possibly to execute arbitrary PHP code on the remote host, subject to the privileges of the web server user ID.

 Note that this install is also likely affected by a cross-site scripting issue in the 'services/portal/cloud_search.php' script.

ID	Name	Product	Family	Severity
47404	Fedora 13 : horde-3.3.6-1.fc13 (2010-5563)	Nessus	Fedora Local Security Checks	medium
47395	Fedora 12 : horde-3.3.6-1.fc12 (2010-5520)	Nessus	Fedora Local Security Checks	medium
47390	Fedora 11 : horde-3.3.6-1.fc11 (2010-5483)	Nessus	Fedora Local Security Checks	medium
40961	GLSA-200909-14 : Horde: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
4835	Horde < 3.3.3 / 3.2.4 Horde_Image::factory driver Argument Local File Inclusion	Nessus Network Monitor	CGI	high

Detections

Analytics

CVE-2009-0931

medium

Tenable Plugins

medium

medium

medium

medium

high