Several XSS issues in Horde Framework, Kronolith

SEC Consult Security Advisory < 20051211-0 >

==========================================================================

title: < Several XSS issues in Horde Framework, Kronolith

Calendar, Mnemo Notes, Nag Tasks and Turba

Addressbook >

program: < Horde Application Framework + Modules >

vulnerable version: < Horde: <= 3.0.7

Kronolith: <= 2.0.5

Mnemo: <= 2.0.2

Nag: <= 2.0.3

Turba: <= 2.0.4 >

homepage: < www.horde.org >

found: < 2005-12-02 >

by: < Johannes Greil > / SEC Consult / www.sec-consult.com

==========================================================================

 

-------------------

vendor description:

-------------------

The Horde Project is about creating high quality Open Source

applications, based on PHP and the Horde Framework.

 

The guiding principles of the Horde Project are to create solid

standards-based applications using intelligent object oriented design

that, wherever possible, are designed to run on a wide range of

platforms and backends. There is great emphasis on making Horde as

friendly to non-English speakers as possible. The Horde Framework

currently supports many localization features such as unicode and

right-to-left text and generous users have contributed many

translations for the framework and applications.

 

 

----------------------

vulnerabilty overview:

----------------------

Kronolith - Calendar Application

================================

view calendars:

---------------

1) An (authenticated) attacker can create a calendar (under "My

Calendars") with any Javascript code in the name field ("Calendar

Name") and change the permissions to make it public to all users of the

system.

 

If the victim (user of the system) clicks on the menu "My Calendars" to

only view his calendars, all the public calendars will also show up and

the script code of the attacker will be executed.

 

 

delete events:

--------------

2) The title field of a calendar event is not properly sanitized when

deleting an event. Kronolith asks for "Delete $title" and renders

$title without further validation on the confirmation page.

 

It poses a threat when using shared/public calendars, where users of

the system have read and especially delete access to other users'

calendar events.

 

 

search events:

--------------

3) The Basic and Advanced Search functionality render the category and

location field without sanitation. An attacker can make an event public

and insert common search words in the title or other fields in

combination with malicious code. A victim searching for a common word

will get the script code as a result, which is executed immediately.

 

The scripting code, which has been added as a new category, will also

be rendered in Horde Options under "Category and Labels", but

categories cannot be shared to other users.

 

 

edit attendees:

---------------

4) An attacker can add script code as an attendee email address in an

event. Viewing the event is enough to execute the code because the

email address isn't being filtered.

 

 

edit permissions:

-----------------

5) The popup window for editing the permissions of a (your own)

calendar doesn't filter the title of a calendar and views it

unfiltered. This cannot be remotely exploited.

 

 

The victim must be subscribed to the public calendar in bug 2), 3) and

4) to be affected, 1) does work in every case. An attacker can

implement "relogin trojan scripting code" to trick the users to enter

their login name + passwords and take over the accounts. This also

bypasses the session management features of the Horde Framework (stores

IP and browser string in sessions hence the cookie alone isn't that

helpful).

 

 

Horde Framework:

================

6) The Horde Framework itself also suffers from XSS flaws (e.g.

identity field, category/labels, mobile phone field, importing files)

where at least one them is exploitable which affects other modules such

as Turba Address Book.

 

E.g. when showing an Address Book entry, the "Mobile Phone" field is

not being sanitized and an attacker can create a malicious contact with

Javascript code in that field. There are different attack vectors, such

as importing a contact via CSV file or accessing some shared Address

Book with a malicious contact. Directly adding malicious code into the

Mobile Phone field doesn't work because of the input validation in

place.

 

importing CSV files:

--------------------

7) E.g. the Date and Time Fields are not properly sanitized on the

import pages in Kronolith, Mnemo and Nag (a Horde Template is

affected). A specially crafted CSV file can be used to execute

arbitrary code on a victim. It shall be noted that the victim has to

import this preparted file on his own so e.g. some social engineering

email is needed.

 

 

Mnemo Note Manager && Nag Task List Manager:

============================================

There are also some input validation flaws in Mnemo and Nag (and maybe

other modules as well).

 

Mnemo: When creating a new notepad, the notepad's name isn't being

filtered. Hence it is possible to insert any javascript code.

 

Furthermore one can insert Javascript code in a shared notepad's name

which can be remotely exploited (as always only when already

authenticated).

 

Nag: This module suffers from a similar problem as Mnemo, here the

"Task List's Name" and also the shared Tasklists are affected. Nag also

suffers from the "importing CSV file" issue mentioned above.

 

-----------------

proof of concept:

-----------------

Kronolith:

1) E.g. add "<script>alert("calname")</script>" as the "Calendar Name",

change permissions to public read access and login with another user.

 

Just click on "My Calendars" menu - the code will be executed

immediately in the "Select a calendar" section and in the "My Free/Busy

URL" field.

 

 

2) Create a new event in a public calendar and e.g. use

<script>alert("title")</script>" as the title. make this event readable

and deletable for other users. If the victim clicks on "Delete event"

the script code will be executed.

 

 

3) Create an event with "<script>alert("category")</script>" as a new

category name, or some code in the location field, and make it public.

 

If a user searches for the word "category", the event with the

malicious code will be found and the code executed.

 

 

4) Use "<script>alert("attendee")</script>" as an email address and add

the attendee to a public event. The code will be executed when viewing

the public event.

 

 

Horde:

6) E.g. add script code to the "Mobile Phone" field of a contact that

is shared to other people. You have to bypass Horde's input validation

for that field, e.g. by importing a preparated contact via CSV file.

After that the script code will be executed upon clicking on the

contact.

 

--------------------

vulnerable versions:

--------------------

'HORDE_VERSION', '3.0.7' and lower

'KRONOLITH_VERSION', 'H3 (2.0.5)' and lower

'MNEMO_VERSION', 'H3 (2.0.2)' and lower

'NAG_VERSION', 'H3 (2.0.3)' and lower

'TURBA_VERSION', 'H3 (2.0.4)' and lower

 

 

--------------

vendor status:

--------------

vendor notified: 2005-12-02

vendor response: 2005-12-02

first patches available in CVS: 2005-12-02

coordinated release date: 2005-12-11

 

The Horde developer team has been very responsive and working with them

was exemplary.

 

There were several other possible XSS problems in Horde's, Kronolith's

and other modules' source which have been addressed by the developers

after further digging through the code and fixing the reported problems,

CVS archive:

lists.horde.org/archives/cvs/Week-of-Mon-20051128/thread.html

lists.horde.org/archives/cvs/Week-of-Mon-20051205/thread.html

 

Greetings and special thanks to Chuck!

 

 

---------

solution:

---------

The versions of Horde, Kronolith, Mnemo, Nag and other modules have

been bumped, their new releases can be obtained from

www.horde.org

 

Users are strongly urged to upgrade to the latest release of Horde and

each application. The new Horde release fixes the cellphone field

vulnerability for Turba (and any other applications displaying forms

using Horde_Form_Type_cellphone); all of the other fixes are contained

in the application that they affect.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

< Johannes Greil > / www.sec-consult.com /

SGT ::: < tke, mei, bmu, dfa > :::