Debian DSA-1034-1 : horde2 - several vulnerabilities

high Nessus Plugin ID 22576


The remote Debian host is missing a security-related update.


Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2006-1260 Null characters in the URL parameter bypass a sanity check, which allowed remote attackers to read arbitrary files, which allowed information disclosure.

- CVE-2006-1491 User input in the help viewer was passed unsanitised to the eval() function, which allowed injection of arbitrary web code.


Upgrade the horde2 package.

The old stable distribution (woody) doesn't contain horde2 packages.

For the stable distribution (sarge) these problems have been fixed in version 2.2.8-1sarge2.

See Also

Plugin Details

Severity: High

ID: 22576

File Name: debian_DSA-1034.nasl

Version: 1.17

Type: local

Agent: unix

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: High

Score: 7.0


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:horde2, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/14/2006

Vulnerability Publication Date: 3/14/2006

Exploitable With


Reference Information

CVE: CVE-2006-1260, CVE-2006-1491

DSA: 1034