Security updates for Horde Framework

Updates and patches for the Horde Framework have been released after oCert released an advisory noting two vulnerabilities in the PHP web application framework.

One of the bugs allows an attacker to upload their own HTML and JavaScript code and have it executed in a victim's browser when the victim is opening an email from the attacker. The other bug is a general fault in the user input sanitisation filter, which allows HTML where '/' replaces spaces in the HTML text to pass through; this modified HTML is treated as valid HTML in Internet Explorer and Firefox.

Horde versions 3.1 to 3.2 are affected by only the filtering issue, while versions after 3.2 are affected by both issues. These issues are fixed in Horde 3.2.1. Other applications that use the code are also affected by either one or both of the vulnerabilities. oCert lists the affected versions as

• Horde Groupware, from 1.0 to 1.06 and from 1.1 to 1.1.2
• Horde Groupware Webmail Edition, 1.0 to 1.0.7 and from 1.1 to 1.1.2
• Cake-PHP, 1.2.0.7296 RC2 and all previous versions
• phpMyFAQ. 2.5.0-dev and all previous versions
• deluxeBB, 2.2 and all previous versions
• emuCMS, 0.3 and all previous versions
• SimpleSite, 1.6.4 and all previous versions
• RevokeBB, 1.0RC11_normal and all previous versions
• TPLN, 2.9 and all previous versions
• Logicoder, r27 and all previous versions
• phour, r106 and all previous versions
• MDPro, 1.0821 and all previous versions
• noserub, r784 and all previous versions and, 0.6

Horde has released updates for Horde, Horde Groupware and Webmail and has also made patches available. The advisory also directs users of other affected packages to a fixed version of externalinput.php from Popoon, which should correct the error with other applications.

See Also:

• #2008-012 - Horde, Popoon frameworks common input sanitization errors (XSS) oCert Advisory

(djwm)