CVE-2006-3549
First published: Thu Jul 13 2006(Updated: )
services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Horde application framework | =3.0.0 | |
| Horde application framework | =3.0.1 | |
| Horde application framework | =3.0.2 | |
| Horde application framework | =3.0.3 | |
| Horde application framework | =3.0.4 | |
| Horde application framework | =3.0.5 | |
| Horde application framework | =3.0.6 | |
| Horde application framework | =3.0.7 | |
| Horde application framework | =3.0.8 | |
| Horde application framework | =3.0.9 | |
| Horde application framework | =3.0.10 | |
| Horde application framework | =3.1.0 | |
| Horde application framework | =3.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://moritz-naumann.com/adv/0011/hordemulti/0011.txt
- http://lists.horde.org/archives/announce/2006/000287.html
- http://lists.horde.org/archives/announce/2006/000288.html
- http://www.securityfocus.com/bid/18845
- http://securitytracker.com/id?1016442
- http://www.novell.com/linux/security/advisories/2006_19_sr.html
- http://secunia.com/advisories/20954
- http://secunia.com/advisories/21459
- http://www.debian.org/security/2007/dsa-1406
- http://secunia.com/advisories/27565
- http://securityreason.com/securityalert/1229
- http://www.vupen.com/english/advisories/2006/2694
- http://www.securityfocus.com/archive/1/439255/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2006-3549?
CVE-2006-3549 is considered a high severity vulnerability due to its ability to allow remote attackers to exploit the image proxy of the Horde Application Framework.
How do I fix CVE-2006-3549?
To fix CVE-2006-3549, you should upgrade to Horde Application Framework version 3.1.2 or later, which addresses this vulnerability.
What versions of Horde Application Framework are affected by CVE-2006-3549?
CVE-2006-3549 affects Horde Application Framework versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1.
What type of attack is enabled by CVE-2006-3549?
CVE-2006-3549 enables remote attackers to perform 'Web tunneling' attacks, effectively using the server as a proxy.
Is CVE-2006-3549 remotely exploitable?
Yes, CVE-2006-3549 is remotely exploitable, allowing attackers to manipulate the image proxy feature from outside the local network.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/horde
- canonical/horde application framework
- version/horde application framework/3.0.0
- version/horde application framework/3.0.1
- version/horde application framework/3.0.2
- version/horde application framework/3.0.3
- version/horde application framework/3.0.4
- version/horde application framework/3.0.5
- version/horde application framework/3.0.6
- version/horde application framework/3.0.7
- version/horde application framework/3.0.8
- version/horde application framework/3.0.9
- version/horde application framework/3.0.10
- version/horde application framework/3.1.0
- version/horde application framework/3.1.1