[pkg-horde] Bug#358812: CVE-2006-1260: File disclosure vulnerability
Moritz Muehlenhoff
jmm at inutil.org
Fri Mar 24 14:17:58 UTC 2006
Package: horde3
Severity: grave
Tags: security
Justification: user security hole
| Horde Application Framework 3.0.9 allows remote attackers to read arbitrary
| files via a null character in the url parameter in services/go.php, which
| bypasses a sanity check.
Please see
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/043657.html
for details.
This is CVE-2006-1260, please mention it in the changelog when fixing it.
Could you check, whether Horde 3.0.4 and 2.2.8 from stable are affected?
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
More information about the pkg-horde-hackers
mailing list