Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Horde_application_framework | Horde | * | 3.3.8 (including) |
| Horde_application_framework | Horde | 1.0.3 (including) | 1.0.3 (including) |
| Horde_application_framework | Horde | 1.1.1 (including) | 1.1.1 (including) |
| Horde_application_framework | Horde | 1.3.0 (including) | 1.3.0 (including) |
| Horde_application_framework | Horde | 1.3.1 (including) | 1.3.1 (including) |
| Horde_application_framework | Horde | 1.3.2 (including) | 1.3.2 (including) |
| Horde_application_framework | Horde | 1.3.3 (including) | 1.3.3 (including) |
| Horde_application_framework | Horde | 1.3.4 (including) | 1.3.4 (including) |
| Horde_application_framework | Horde | 1.3.5 (including) | 1.3.5 (including) |
| Horde_application_framework | Horde | 2.0 (including) | 2.0 (including) |
| Horde_application_framework | Horde | 2.0-rc1 (including) | 2.0-rc1 (including) |
| Horde_application_framework | Horde | 2.0-rc3 (including) | 2.0-rc3 (including) |
| Horde_application_framework | Horde | 2.0-rc4 (including) | 2.0-rc4 (including) |
| Horde_application_framework | Horde | 2.1 (including) | 2.1 (including) |
| Horde_application_framework | Horde | 2.2 (including) | 2.2 (including) |
| Horde_application_framework | Horde | 2.2.1 (including) | 2.2.1 (including) |
| Horde_application_framework | Horde | 2.2.2 (including) | 2.2.2 (including) |
| Horde_application_framework | Horde | 2.2.3 (including) | 2.2.3 (including) |
| Horde_application_framework | Horde | 2.2.4 (including) | 2.2.4 (including) |
| Horde_application_framework | Horde | 2.2.5 (including) | 2.2.5 (including) |
| Horde_application_framework | Horde | 2.2.6 (including) | 2.2.6 (including) |
| Horde_application_framework | Horde | 2.2.6-rc1 (including) | 2.2.6-rc1 (including) |
| Horde_application_framework | Horde | 2.2.7 (including) | 2.2.7 (including) |
| Horde_application_framework | Horde | 2.2.8 (including) | 2.2.8 (including) |
| Horde_application_framework | Horde | 2.2.9 (including) | 2.2.9 (including) |
| Horde_application_framework | Horde | 3.0 (including) | 3.0 (including) |
| Horde_application_framework | Horde | 3.0-alpha (including) | 3.0-alpha (including) |
| Horde_application_framework | Horde | 3.0-beta (including) | 3.0-beta (including) |
| Horde_application_framework | Horde | 3.0-rc1 (including) | 3.0-rc1 (including) |
| Horde_application_framework | Horde | 3.0-rc2 (including) | 3.0-rc2 (including) |
| Horde_application_framework | Horde | 3.0-rc3 (including) | 3.0-rc3 (including) |
| Horde_application_framework | Horde | 3.0.1 (including) | 3.0.1 (including) |
| Horde_application_framework | Horde | 3.0.2 (including) | 3.0.2 (including) |
| Horde_application_framework | Horde | 3.0.3 (including) | 3.0.3 (including) |
| Horde_application_framework | Horde | 3.0.3-rc1 (including) | 3.0.3-rc1 (including) |
| Horde_application_framework | Horde | 3.0.4 (including) | 3.0.4 (including) |
| Horde_application_framework | Horde | 3.0.4-rc1 (including) | 3.0.4-rc1 (including) |
| Horde_application_framework | Horde | 3.0.4-rc2 (including) | 3.0.4-rc2 (including) |
| Horde_application_framework | Horde | 3.0.5 (including) | 3.0.5 (including) |
| Horde_application_framework | Horde | 3.0.5-rc1 (including) | 3.0.5-rc1 (including) |
| Horde_application_framework | Horde | 3.0.5-rc2 (including) | 3.0.5-rc2 (including) |
| Horde_application_framework | Horde | 3.0.6 (including) | 3.0.6 (including) |
| Horde_application_framework | Horde | 3.0.6-rc1 (including) | 3.0.6-rc1 (including) |
| Horde_application_framework | Horde | 3.0.7 (including) | 3.0.7 (including) |
| Horde_application_framework | Horde | 3.0.8 (including) | 3.0.8 (including) |
| Horde_application_framework | Horde | 3.0.9 (including) | 3.0.9 (including) |
| Horde_application_framework | Horde | 3.0.10 (including) | 3.0.10 (including) |
| Horde_application_framework | Horde | 3.0.11 (including) | 3.0.11 (including) |
| Horde_application_framework | Horde | 3.0.12 (including) | 3.0.12 (including) |
| Horde_application_framework | Horde | 3.1 (including) | 3.1 (including) |
| Horde_application_framework | Horde | 3.1-rc1 (including) | 3.1-rc1 (including) |
| Horde_application_framework | Horde | 3.1-rc2 (including) | 3.1-rc2 (including) |
| Horde_application_framework | Horde | 3.1-rc3 (including) | 3.1-rc3 (including) |
| Horde_application_framework | Horde | 3.1.1 (including) | 3.1.1 (including) |
| Horde_application_framework | Horde | 3.1.2 (including) | 3.1.2 (including) |
| Horde_application_framework | Horde | 3.1.3 (including) | 3.1.3 (including) |
| Horde_application_framework | Horde | 3.1.4 (including) | 3.1.4 (including) |
| Horde_application_framework | Horde | 3.1.4-rc1 (including) | 3.1.4-rc1 (including) |
| Horde_application_framework | Horde | 3.1.5 (including) | 3.1.5 (including) |
| Horde_application_framework | Horde | 3.1.6 (including) | 3.1.6 (including) |
| Horde_application_framework | Horde | 3.1.7 (including) | 3.1.7 (including) |
| Horde_application_framework | Horde | 3.1.8 (including) | 3.1.8 (including) |
| Horde_application_framework | Horde | 3.1.9 (including) | 3.1.9 (including) |
| Horde_application_framework | Horde | 3.2 (including) | 3.2 (including) |
| Horde_application_framework | Horde | 3.2-alpha (including) | 3.2-alpha (including) |
| Horde_application_framework | Horde | 3.2-rc1 (including) | 3.2-rc1 (including) |
| Horde_application_framework | Horde | 3.2-rc2 (including) | 3.2-rc2 (including) |
| Horde_application_framework | Horde | 3.2-rc3 (including) | 3.2-rc3 (including) |
| Horde_application_framework | Horde | 3.2-rc4 (including) | 3.2-rc4 (including) |
| Horde_application_framework | Horde | 3.2.1 (including) | 3.2.1 (including) |
| Horde_application_framework | Horde | 3.2.2 (including) | 3.2.2 (including) |
| Horde_application_framework | Horde | 3.2.3 (including) | 3.2.3 (including) |
| Horde_application_framework | Horde | 3.2.4 (including) | 3.2.4 (including) |
| Horde_application_framework | Horde | 3.2.5 (including) | 3.2.5 (including) |
| Horde_application_framework | Horde | 3.3 (including) | 3.3 (including) |
| Horde_application_framework | Horde | 3.3-rc1 (including) | 3.3-rc1 (including) |
| Horde_application_framework | Horde | 3.3.1 (including) | 3.3.1 (including) |
| Horde_application_framework | Horde | 3.3.2 (including) | 3.3.2 (including) |
| Horde_application_framework | Horde | 3.3.3 (including) | 3.3.3 (including) |
| Horde_application_framework | Horde | 3.3.4 (including) | 3.3.4 (including) |
| Horde_application_framework | Horde | 3.3.4-rc1 (including) | 3.3.4-rc1 (including) |
| Horde_application_framework | Horde | 3.3.5 (including) | 3.3.5 (including) |
| Horde_application_framework | Horde | 3.3.6 (including) | 3.3.6 (including) |
| Horde_application_framework | Horde | 3.3.7 (including) | 3.3.7 (including) |
| Horde3 | Ubuntu | dapper | * |
| Horde3 | Ubuntu | hardy | * |
| Horde3 | Ubuntu | karmic | * |
| Horde3 | Ubuntu | lucid | * |
| Horde3 | Ubuntu | maverick | * |
| Horde3 | Ubuntu | upstream | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html
- http://lists.horde.org/archives/announce/2010/000557.html
- http://secunia.com/advisories/42140
- https://bugzilla.redhat.com/show_bug.cgi?id=630687
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html
- http://lists.horde.org/archives/announce/2010/000557.html
- http://secunia.com/advisories/42140
- https://bugzilla.redhat.com/show_bug.cgi?id=630687