CVE-2006-3549

NameCVE-2006-3549
Descriptionservices/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1406-1
NVD severitymedium (attack range: remote)
Debian Bugs378281
Debian/oldstablenot vulnerable.
Debian/stablenot known to be vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
horde3 (PTS)squeeze (security), squeeze3.3.8+debian0-3fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
horde3source(unstable)3.1.2-1low378281
horde3sourceetch3.1.3-4etch1mediumDSA-1406-1
horde3sourcesarge3.0.4-4sarge6mediumDSA-1406-1

Search for package or bug name: Reporting problems