Ubuntu
horde3 package

[horde3] [CVE-2008-1284] information disclosure

Bug #203456 reported by disabled.user
270
Affects Status Importance Assigned to Milestone
horde3 (Debian)
Fix Released
Unknown
horde3 (Ubuntu)
Fix Released
High
William Grant
Dapper
Fix Released
High
Emanuele Gentili
Edgy
Fix Released
High
Emanuele Gentili
Feisty
Fix Released
High
Emanuele Gentili
Gutsy
Fix Released
High
Emanuele Gentili
Hardy
Fix Released
High
William Grant

Bug Description

Binary package hint: horde3

References:
DSA-1519-1 (http://www.debian.org/security/2008/dsa-1519)

Quoting:
"It was discovered that the Horde web application framework permits arbitrary
file inclusion by a remote attacker through the theme preference parameter."

Bug Watch Updater (bug-watch-updater)
Changed in horde3:
status: Unknown → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

Fixed in 3.1.7-1, which I'm requesting a sync for.

Changed in horde3:
assignee: nobody → fujitsu
importance: Undecided → High
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package horde3 - 3.1.7-1

---------------
horde3 (3.1.7-1) unstable; urgency=high

  * New upstream release.
  * This new version has security fix: fix arbitrary file inclusion through
    abuse of the theme preference (see CVE-2008-1284 for more informations).
    (Closes: #470640)
  * Fix typo in debian/rules comments.
  * Add php-net-imap package in "Suggests" field. (Closes: #470283)
  * Add libgeoip1 package in "Suggests" field. (Closes: #376935)

 -- William Grant <email address hidden> Sat, 15 Mar 2008 14:00:34 +0100

Changed in horde3:
status: In Progress → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :

Tested on virtual server, patch work fine.

Changed in horde3:
assignee: nobody → emgent
importance: Undecided → High
status: New → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :

POC: http://www.securityfocus.com/archive/1/archive/1/489239/100/0/threaded

Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in horde3:
assignee: nobody → emgent
importance: Undecided → High
status: New → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in horde3:
assignee: nobody → emgent
importance: Undecided → High
status: New → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in horde3:
assignee: nobody → emgent
importance: Undecided → High
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in horde3:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package horde3 - 3.1.4-1ubuntu0.1

---------------
horde3 (3.1.4-1ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: #203456)
   + Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5,
     and Groupware Webmail Edition before 1.0.6, when running with certain
     configurations, allows remote authenticated users to read and execute arbitrary
     files via ".." sequences and a null byte in the theme name.
     Fix directory traversal vulnerability in Registry.php which allows
     an attacker to read and execute arbitrary local files via crafted
     path sequences.

  * References
   + http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1284
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
   + http://www.debian.org/security/2008/dsa-1519

 -- Emanuele Gentili <email address hidden> Thu, 27 Mar 2008 14:03:40 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package horde3 - 3.1.3-4ubuntu0.1

---------------
horde3 (3.1.3-4ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #203456)
   + Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5,
     and Groupware Webmail Edition before 1.0.6, when running with certain
     configurations, allows remote authenticated users to read and execute arbitrary
     files via ".." sequences and a null byte in the theme name.
     Fix directory traversal vulnerability in Registry.php which allows
     an attacker to read and execute arbitrary local files via crafted
     path sequences.

  * References
   + http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1284
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
   + http://www.debian.org/security/2008/dsa-1519

 -- Emanuele Gentili <email address hidden> Thu, 27 Mar 2008 14:57:51 +0100

Changed in horde3:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in horde3:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.