The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
========================================================================
= CodeScan Advisory, codescan.com <advisories (at) codescan (dot) com [email concealed]>
=
= Unauthenticated Arbitrary File Read in Horde v3.09 and prior
=
= Vendor Website:
= http://www.horde.org
=
= Affected Version:
= Versions prior to and including v3.09
=
= Researched By
= Paul Craig <paul.craig (at) security-assessment (dot) com [email concealed]>
=
= Public disclosure on March 15th, 2006
========================================================================
== Overview ==
CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the beta testing of CodeScan PHP, Horde v3.09 was selected as
one of the test applications.
This advisory is the result of research into the security of Horde, based
on the report generated by the CodeScan tool.
CodeScan Labs has also worked with the vendor of horde to ensure future
versions of the product are secure.
== Affected Versions ==
Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this
vulnerability on Debian based servers.
== Vulnerability Details ==
In the file /services/go.php, an insecure call is made to the readfile()
function.
This can be seen in the code below.
--------------------------------------------------------------
$_GET['url'] = trim($_GET['url']);
if (get_magic_quotes_gpc()) {
$url = @parse_url(trim(stripslashes($_GET['url'])));
} else {
$url = @parse_url(trim($_GET['url']));
}
if (empty($url) || empty($url['host'])) {
exit;
}
if ((!empty($_SERVER['SERVER_NAME']) &&
$_SERVER['SERVER_NAME'] == $url['host']) ||
(!empty($_SERVER['HTTP_HOST']) &&
$_SERVER['HTTP_HOST'] == $url['host'])) {
.........
// Pass through image content if requested.
if (!empty($_GET['untrusted'])) {
readfile($_GET['url']);
exit;
--------------------------------------------------------------
Calls to parse_url attempt to sanitise the input through
the requirement of an http:// type string.
Embedding a NULL character within the URL variable enables
an attacker to control the variable passed to readfile()
leading to the reading of any file on the file system with
the privileges of the web server.
== Solutions ==
CodeScan Labs has been in contact with Horde and a new version of
the software has been released to address the discovered
vulnerability.
Users are advised to upgrade to version 3.1
ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz
== Credit ==
Discovered and advised to Horde 4th March, 2006 by Paul Craig of
Security-Assessment.com
== About CodeScan Labs Ltd ==
CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP
and PHP(Beta)
== About Security-Assessment.com ==
Security-Assessment.com is Australasia's only pure play security
company, specialising in security audit, assurance and advice services.
Assisting large and medium size Enterprises who require true independent
measurement of their security compliance at all levels.
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum