Debian Security Advisory
DSA-1966-1 horde3 -- insufficient input sanitising
- Date Reported:
- 07 Jan 2010
- Affected Packages:
- horde3
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2009-3237, CVE-2009-3701, CVE-2009-4363.
- More information:
-
Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file.
- CVE-2009-3701
It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators.
- CVE-2009-4363
It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages.
For the stable distribution (lenny), these problems have been fixed in version 3.2.2+debian0-2+lenny2.
For the oldstable distribution (etch), these problems have been fixed in version 3.1.3-4etch7.
For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 3.3.6+debian0-1.
We recommend that you upgrade your horde3 packages.
- CVE-2009-3237
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb
MD5 checksums of the listed files are available in the original advisory.