Horde Application Framework Parent Page Title Cross-Site Scripting Vulnerability

Bugtraq ID:	12943
Class:	Input Validation Error
CVE:	CVE-2005-0961
Remote:	Yes
Local:	No
Published:	Mar 29 2005 12:00AM
Updated:	Jul 12 2009 11:56AM
Credit:	The vendor reported this issue.
Vulnerable:	SuSE Linux Enterprise Server 9 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 Horde Project Horde 3.0.4 -RC 2
Not Vulnerable:	Horde Project Horde 3.0.4

Horde Application Framework Parent Page Title Cross-Site Scripting Vulnerability

Horde Application Framework is prone to a cross-site scripting vulnerability. An attacker can supply arbitrary HTML and script code to the application when the page title of a parent frame is manipulated.

A successful attack can facilitate theft of cookie-based authentication credentials. Other attacks are possible as well.

Horde 3.0.4-RC2 is reported vulnerable, however, other versions may be affected as well.

Horde Application Framework Parent Page Title Cross-Site Scripting Vulnerability

An exploit is not required.

Horde Application Framework Parent Page Title Cross-Site Scripting Vulnerability

Solution:
This issue has been addressed in Horde 3.0.4.

SUSE has released advisory SUSE-SR:2005:016 to address this issue. Please see the referenced advisory for more information.


Horde Project Horde 3.0.4 -RC 2

• Horde Horde 3.0.4
  http://ftp.horde.org/pub/horde/horde-latest.tar.gz

Horde Application Framework Parent Page Title Cross-Site Scripting Vulnerability

References:

• [announce] Horde 3.0.4 (final) (Horde Project)
  
• Pandora Homepage (Pandora FMS Team)