|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200604-02] Horde Application Framework: Remote code execution Vulnerability Scan
Vulnerability Scan Summary Horde Application Framework: Remote code execution
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200604-02
(Horde Application Framework: Remote code execution)
Jan Schneider of the Horde team discovered a vulnerability in the
help viewer of the Horde Application Framework that could allow remote
code execution (CVE-2006-1491). Paul Craig reported that
"services/go.php" fails to validate the passed URL parameter correctly
(CVE-2006-1260).
Impact
A possible hacker could exploit the vulnerability in the help viewer to
execute arbitrary code with the rights of the web server user. By
embedding a NULL character in the URL parameter, a possible hacker could
exploit the input validation issue in go.php to read arbitrary files.
Workaround
There are no known workarounds at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1491
http://lists.horde.org/archives/announce/2006/000271.html
Solution:
All Horde Application Framework users should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.1"
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|