منذ /02-15-2010, 07:33 PM
|
#1 (permalink)
|
|[ عضـٍـٍـٍو مبـٍـٍـٍـٍدع]|
|
رقم
المستوى :
16402 |
|
تاريخ
التسجيل :
Dec 2009 |
|
المشآركآت
:
653 |
|
All Horde Passwd users should upgrade to the latest v
|
Multiple vulnerabilities have been discovered in Horde and two modules,
allowing for the execution of arbitrary code, information disclosure, or
Cross-Site ******ing.
Background
Horde is a *** application framework written in PHP. Horde IMP, the
"Internet Messaging Program", is a ***mail module and Horde Passwd is a
password changing module for Horde.
Affected Packages
Package: www-apps/horde
Vulnerable: < 3.3.4
Unaffected: >= 3.3.4
Architectures: All supported architectures
Package: www-apps/horde-imp
Vulnerable: < 4.3.4
Unaffected: >= 4.3.4
Architectures: All supported architectures
Package: www-apps/horde-passwd
Vulnerable: < 3.1.1
Unaffected: >= 3.1.1
Architectures: All supported architectures
De******ion
Multiple vulnerabilities have been discovered in Horde:
- Gunnar Wrobel reported an input sanitation and directory traversal
flaw in framework/Image/Image.php, related to the "Horde_Image driver
name" (CVE-2009-0932).
- Gunnar Wrobel reported that data sent
to horde/services/portal/cloud_search.php is not properly sanitized
before used in the output (CVE-2009-0931).
- It was reported
that data sent to framework/****_Filter/Filter/xss.php is not properly
sanitized before used in the output (CVE-2008-5917).
Horde Passwd: David Wharton reported that data sent via the "backend"
parameter to passwd/main.php is not properly sanitized before used in
the output (CVE-2009-2360).
Horde IMP: Gunnar Wrobel reported that data sent to smime.php, pgp.php,
and message.php is not properly sanitized before used in the output
(CVE-2009-0930).
Impact
A remote authenticated attacker could exploit these vulnerabilities to
execute arbitrary PHP files on the server, or disclose the ******* of
arbitrary files, both only if the file is readable to the *** server. A
remote authenticated attacker could conduct Cross-Site ******ing
attacks. NOTE: Some Cross-Site ******ing vectors are limited to the
usage of Microsoft Internet Explorer.
Workaround
There is no known workaround at this time.
Resolution
All Horde users should upgrade to the latest version:
Code: # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.4"
All Horde IMP users should upgrade to the latest version:
Code: # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-imp-4.3.4"
All Horde Passwd users should upgrade to the latest version:
Code: # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-passwd-3.1.1"
|
|
|
|
|
آلاهدآئـــآت
المواضيع المتشابهه
العرض العادي
