6403.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
6403

--
Summary:
This event is generated when an attempt is made to exploit a known vulnerability in the Horde web application.

--
Impact:
Serious, unauthorized remote execution of code.

--
Detailed Information:
This event is generated when an attempt is made to exploit a known vulnerability in the Horde web application.

Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.

The Horde web application, written in PHP, does not properly sanitize data passed to the Help Viewer scripts. This allows an attacker to supply code of their choosing to be executed on the server with the credentials of the user running the web server.

--
Affected Systems:
Horde versions prior to and including 3.1.0

--
Attack Scenarios:
An attacker can supply data of their choosing to the help scripts which may contain code to be executed or calls to system commands for execution.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.

Check the host logfiles and application logs for signs of compromise.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--