Johannes Greil
13/12/05, 00:00
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_lexx-14544-1134331477-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
SEC Consult Security Advisory < 20051211-0 >
================================================== ========================
title: < Several XSS issues in Horde Framework, Kronolith
Calendar, Mnemo Notes, Nag Tasks and Turba
Addressbook >
program: < Horde Application Framework + Modules >
vulnerable version: < Horde: <= 3.0.7
Kronolith: <= 2.0.5
Mnemo: <= 2.0.2
Nag: <= 2.0.3
Turba: <= 2.0.4 >
homepage: < http://www.horde.org >
found: < 2005-12-02 >
by: < Johannes Greil > / SEC Consult /
www.sec-consult.com
================================================== ========================
-------------------
vendor description:
-------------------
The Horde Project is about creating high quality Open Source
applications, based on PHP and the Horde Framework.
The guiding principles of the Horde Project are to create solid
standards-based applications using intelligent object oriented design
that, wherever possible, are designed to run on a wide range of
platforms and backends. There is great emphasis on making Horde as
friendly to non-English speakers as possible. The Horde Framework
currently supports many localization features such as unicode and
right-to-left text and generous users have contributed many
translations for the framework and applications.
----------------------
vulnerabilty overview:
----------------------
Kronolith - Calendar Application
================================
view calendars:
---------------
1) An (authenticated) attacker can create a calendar (under "My
Calendars") with any Javascript code in the name field ("Calendar
Name") and change the permissions to make it public to all users of the
system.
If the victim (user of the system) clicks on the menu "My Calendars" to
only view his calendars, all the public calendars will also show up and
the script code of the attacker will be executed.
delete events:
--------------
2) The title field of a calendar event is not properly sanitized when
deleting an event. Kronolith asks for "Delete $title" and renders
$title without further validation on the confirmation page.
It poses a threat when using shared/public calendars, where users of
the system have read and especially delete access to other users'
calendar events.
search events:
--------------
3) The Basic and Advanced Search functionality render the category and
location field without sanitation. An attacker can make an event public
and insert common search words in the title or other fields in
combination with malicious code. A victim searching for a common word
will get the script code as a result, which is executed immediately.
The scripting code, which has been added as a new category, will also
be rendered in Horde Options under "Category and Labels", but
categories cannot be shared to other users.
edit attendees:
---------------
4) An attacker can add script code as an attendee email address in an
event. Viewing the event is enough to execute the code because the
email address isn't being filtered.
edit permissions:
-----------------
5) The popup window for editing the permissions of a (your own)
calendar doesn't filter the title of a calendar and views it
unfiltered. This cannot be remotely exploited.
The victim must be subscribed to the public calendar in bug 2), 3) and
4) to be affected, 1) does work in every case. An attacker can
implement "relogin trojan scripting code" to trick the users to enter
their login name + passwords and take over the accounts. This also
bypasses the session management features of the Horde Framework (stores
IP and browser string in sessions hence the cookie alone isn't that
helpful).
Horde Framework:
================
6) The Horde Framework itself also suffers from XSS flaws (e.g.
identity field, category/labels, mobile phone field, importing files)
where at least one them is exploitable which affects other modules such
as Turba Address Book.
E.g. when showing an Address Book entry, the "Mobile Phone" field is
not being sanitized and an attacker can create a malicious contact with
Javascript code in that field. There are different attack vectors, such
as importing a contact via CSV file or accessing some shared Address
Book with a malicious contact. Directly adding malicious code into the
Mobile Phone field doesn't work because of the input validation in
place.
importing CSV files:
--------------------
7) E.g. the Date and Time Fields are not properly sanitized on the
import pages in Kronolith, Mnemo and Nag (a Horde Template is
affected). A specially crafted CSV file can be used to execute
arbitrary code on a victim. It shall be noted that the victim has to
import this preparted file on his own so e.g. some social engineering
email is needed.
Mnemo Note Manager && Nag Task List Manager:
============================================
There are also some input validation flaws in Mnemo and Nag (and maybe
other modules as well).
Mnemo: When creating a new notepad, the notepad's name isn't being
filtered. Hence it is possible to insert any javascript code.
Furthermore one can insert Javascript code in a shared notepad's name
which can be remotely exploited (as always only when already
authenticated).
Nag: This module suffers from a similar problem as Mnemo, here the
"Task List's Name" and also the shared Tasklists are affected. Nag also
suffers from the "importing CSV file" issue mentioned above.
-----------------
proof of concept:
-----------------
Kronolith:
1) E.g. add "<script>alert("calname")</script>" as the "Calendar Name",
change permissions to public read access and login with another user.
Just click on "My Calendars" menu - the code will be executed
immediately in the "Select a calendar" section and in the "My Free/Busy
URL" field.
2) Create a new event in a public calendar and e.g. use
<script>alert("title")</script>" as the title. make this event readable
and deletable for other users. If the victim clicks on "Delete event"
the script code will be executed.
3) Create an event with "<script>alert("category")</script>" as a new
category name, or some code in the location field, and make it public.
If a user searches for the word "category", the event with the
malicious code will be found and the code executed.
4) Use "<script>alert("attendee")</script>" as an email address and add
the attendee to a public event. The code will be executed when viewing
the public event.
Horde:
6) E.g. add script code to the "Mobile Phone" field of a contact that
is shared to other people. You have to bypass Horde's input validation
for that field, e.g. by importing a preparated contact via CSV file.
After that the script code will be executed upon clicking on the
contact.
--------------------
vulnerable versions:
--------------------
'HORDE_VERSION', '3.0.7' and lower
'KRONOLITH_VERSION', 'H3 (2.0.5)' and lower
'MNEMO_VERSION', 'H3 (2.0.2)' and lower
'NAG_VERSION', 'H3 (2.0.3)' and lower
'TURBA_VERSION', 'H3 (2.0.4)' and lower
--------------
vendor status:
--------------
vendor notified: 2005-12-02
vendor response: 2005-12-02
first patches available in CVS: 2005-12-02
coordinated release date: 2005-12-11
The Horde developer team has been very responsive and working with them
was exemplary.
There were several other possible XSS problems in Horde's, Kronolith's
and other modules' source which have been addressed by the developers
after further digging through the code and fixing the reported problems,
CVS archive:
http://lists.horde.org/archives/cvs/Week-of-Mon-20051128/thread.html
http://lists.horde.org/archives/cvs/Week-of-Mon-20051205/thread.html
Greetings and special thanks to Chuck!
---------
solution:
---------
The versions of Horde, Kronolith, Mnemo, Nag and other modules have
been bumped, their new releases can be obtained from
http://www.horde.org
Users are strongly urged to upgrade to the latest release of Horde and
each application. The new Horde release fixes the cellphone field
vulnerability for Turba (and any other applications displaying forms
using Horde_Form_Type_cellphone); all of the other fixes are contained
in the application that they affect.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
< Johannes Greil > / www.sec-consult.com /
SGT ::: < tke, mei, bmu, dfa > :::
--=_lexx-14544-1134331477-0001-2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQ YDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1 UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMT EwWhcNMDYwODAyMTIzMTEw
WjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZX MxFzAVBgNVBAMTDkpvaGFu
bmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy 1jb25zdWx0LmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4 wlIE1G49hqS9Icb4f9JmbM
+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAvaF7n4AZo
KvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVD x2SPXIgpBXyjx4hOqhvEnV
ORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9H z3mL01SnOF1mGt9EE6vufe
B7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHosunl0IXU
YOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai 5ncmVpbEBzZWMtY29uc3Vs
dC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfOMcr+1a uf
H3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwXV2E+DqX2
cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BOi+0CM7vE
wqztVzCCAvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFAD BiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLj EsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwOD AyMTIzMTEwWhcNMDYwODAy
MTIzMTEwWjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm 9oYW5uZXMxFzAVBgNVBAMT
DkpvaGFubmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZW lsQHNlYy1jb25zdWx0LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAO vtJoQsA4wlIE1G49hqS9Ic
b4f9JmbM+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAv
aF7n4AZoKvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8Vm E88gCpVDx2SPXIgpBXyjx4
hOqhvEnVORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQM M67HXM9Hz3mL01SnOF1mGt
9EE6vufeB7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkN UCa/IJsbPIM8p9w4y6grHo
sunl0IXUYOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBB swGYEXai5ncmVpbEBzZWMt
Y29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfO
Mcr+1aufH3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwX
V2E+DqX2cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BO
i+0CM7vEwqztVzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQ EFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCU NhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZm ljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcm VlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbT AeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQ QKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc2 9uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxK Y8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVI UPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZW VtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdm F0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoU OWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVy WN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZy AoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZy BDQQIDDzw3MAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKo ZIhvcNAQkFMQ8XDTA1MTIx
MTIwMDQzMFowIwYJKoZIhvcNAQkEMRYEFGue+P23lCtud+I0qL ZBXtT4vo8HMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA 0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMG kwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC 4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMPPDcweg YLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3 VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSX NzdWluZyBDQQIDDzw3MA0G
CSqGSIb3DQEBAQUABIIBAHnF8ZdoDaL6go3IHEzKQ0qQRobX0P JfxhQ8sfprSxBixuPXzFp4
Qg8AzMOXTxunDAUJLsPxXRqKvk8C8NY//PnJI1GSOtFKEiLxfeTCUwkZ4Fileppb7Jx9+fba
QbhTyacLmNmQV3CjsEp6E0AD8j1/HYoBPh9e6TFU767mDIpPkZMOAuB+kdW5o8v15Hmib9rH
bg0e7/nj75vz7vEXDQ+BKAnrY2xuOVrcuLFEm+mnhyNVOIOD49faIKJm MmlA/XVoUxTR1elM
cKYkdHEmU3mSApYzNrtsgZUW0lh4cPa1HPi4W7RNKbd1Fk8jO0 BZnh6LFwtcSk9mClcVX/II
xxYAAAAAAAA=
--=_lexx-14544-1134331477-0001-2--
E-mail software does not support MIME-formatted messages.
--=_lexx-14544-1134331477-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
SEC Consult Security Advisory < 20051211-0 >
================================================== ========================
title: < Several XSS issues in Horde Framework, Kronolith
Calendar, Mnemo Notes, Nag Tasks and Turba
Addressbook >
program: < Horde Application Framework + Modules >
vulnerable version: < Horde: <= 3.0.7
Kronolith: <= 2.0.5
Mnemo: <= 2.0.2
Nag: <= 2.0.3
Turba: <= 2.0.4 >
homepage: < http://www.horde.org >
found: < 2005-12-02 >
by: < Johannes Greil > / SEC Consult /
www.sec-consult.com
================================================== ========================
-------------------
vendor description:
-------------------
The Horde Project is about creating high quality Open Source
applications, based on PHP and the Horde Framework.
The guiding principles of the Horde Project are to create solid
standards-based applications using intelligent object oriented design
that, wherever possible, are designed to run on a wide range of
platforms and backends. There is great emphasis on making Horde as
friendly to non-English speakers as possible. The Horde Framework
currently supports many localization features such as unicode and
right-to-left text and generous users have contributed many
translations for the framework and applications.
----------------------
vulnerabilty overview:
----------------------
Kronolith - Calendar Application
================================
view calendars:
---------------
1) An (authenticated) attacker can create a calendar (under "My
Calendars") with any Javascript code in the name field ("Calendar
Name") and change the permissions to make it public to all users of the
system.
If the victim (user of the system) clicks on the menu "My Calendars" to
only view his calendars, all the public calendars will also show up and
the script code of the attacker will be executed.
delete events:
--------------
2) The title field of a calendar event is not properly sanitized when
deleting an event. Kronolith asks for "Delete $title" and renders
$title without further validation on the confirmation page.
It poses a threat when using shared/public calendars, where users of
the system have read and especially delete access to other users'
calendar events.
search events:
--------------
3) The Basic and Advanced Search functionality render the category and
location field without sanitation. An attacker can make an event public
and insert common search words in the title or other fields in
combination with malicious code. A victim searching for a common word
will get the script code as a result, which is executed immediately.
The scripting code, which has been added as a new category, will also
be rendered in Horde Options under "Category and Labels", but
categories cannot be shared to other users.
edit attendees:
---------------
4) An attacker can add script code as an attendee email address in an
event. Viewing the event is enough to execute the code because the
email address isn't being filtered.
edit permissions:
-----------------
5) The popup window for editing the permissions of a (your own)
calendar doesn't filter the title of a calendar and views it
unfiltered. This cannot be remotely exploited.
The victim must be subscribed to the public calendar in bug 2), 3) and
4) to be affected, 1) does work in every case. An attacker can
implement "relogin trojan scripting code" to trick the users to enter
their login name + passwords and take over the accounts. This also
bypasses the session management features of the Horde Framework (stores
IP and browser string in sessions hence the cookie alone isn't that
helpful).
Horde Framework:
================
6) The Horde Framework itself also suffers from XSS flaws (e.g.
identity field, category/labels, mobile phone field, importing files)
where at least one them is exploitable which affects other modules such
as Turba Address Book.
E.g. when showing an Address Book entry, the "Mobile Phone" field is
not being sanitized and an attacker can create a malicious contact with
Javascript code in that field. There are different attack vectors, such
as importing a contact via CSV file or accessing some shared Address
Book with a malicious contact. Directly adding malicious code into the
Mobile Phone field doesn't work because of the input validation in
place.
importing CSV files:
--------------------
7) E.g. the Date and Time Fields are not properly sanitized on the
import pages in Kronolith, Mnemo and Nag (a Horde Template is
affected). A specially crafted CSV file can be used to execute
arbitrary code on a victim. It shall be noted that the victim has to
import this preparted file on his own so e.g. some social engineering
email is needed.
Mnemo Note Manager && Nag Task List Manager:
============================================
There are also some input validation flaws in Mnemo and Nag (and maybe
other modules as well).
Mnemo: When creating a new notepad, the notepad's name isn't being
filtered. Hence it is possible to insert any javascript code.
Furthermore one can insert Javascript code in a shared notepad's name
which can be remotely exploited (as always only when already
authenticated).
Nag: This module suffers from a similar problem as Mnemo, here the
"Task List's Name" and also the shared Tasklists are affected. Nag also
suffers from the "importing CSV file" issue mentioned above.
-----------------
proof of concept:
-----------------
Kronolith:
1) E.g. add "<script>alert("calname")</script>" as the "Calendar Name",
change permissions to public read access and login with another user.
Just click on "My Calendars" menu - the code will be executed
immediately in the "Select a calendar" section and in the "My Free/Busy
URL" field.
2) Create a new event in a public calendar and e.g. use
<script>alert("title")</script>" as the title. make this event readable
and deletable for other users. If the victim clicks on "Delete event"
the script code will be executed.
3) Create an event with "<script>alert("category")</script>" as a new
category name, or some code in the location field, and make it public.
If a user searches for the word "category", the event with the
malicious code will be found and the code executed.
4) Use "<script>alert("attendee")</script>" as an email address and add
the attendee to a public event. The code will be executed when viewing
the public event.
Horde:
6) E.g. add script code to the "Mobile Phone" field of a contact that
is shared to other people. You have to bypass Horde's input validation
for that field, e.g. by importing a preparated contact via CSV file.
After that the script code will be executed upon clicking on the
contact.
--------------------
vulnerable versions:
--------------------
'HORDE_VERSION', '3.0.7' and lower
'KRONOLITH_VERSION', 'H3 (2.0.5)' and lower
'MNEMO_VERSION', 'H3 (2.0.2)' and lower
'NAG_VERSION', 'H3 (2.0.3)' and lower
'TURBA_VERSION', 'H3 (2.0.4)' and lower
--------------
vendor status:
--------------
vendor notified: 2005-12-02
vendor response: 2005-12-02
first patches available in CVS: 2005-12-02
coordinated release date: 2005-12-11
The Horde developer team has been very responsive and working with them
was exemplary.
There were several other possible XSS problems in Horde's, Kronolith's
and other modules' source which have been addressed by the developers
after further digging through the code and fixing the reported problems,
CVS archive:
http://lists.horde.org/archives/cvs/Week-of-Mon-20051128/thread.html
http://lists.horde.org/archives/cvs/Week-of-Mon-20051205/thread.html
Greetings and special thanks to Chuck!
---------
solution:
---------
The versions of Horde, Kronolith, Mnemo, Nag and other modules have
been bumped, their new releases can be obtained from
http://www.horde.org
Users are strongly urged to upgrade to the latest release of Horde and
each application. The new Horde release fixes the cellphone field
vulnerability for Turba (and any other applications displaying forms
using Horde_Form_Type_cellphone); all of the other fixes are contained
in the application that they affect.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
< Johannes Greil > / www.sec-consult.com /
SGT ::: < tke, mei, bmu, dfa > :::
--=_lexx-14544-1134331477-0001-2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQ YDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1 UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMT EwWhcNMDYwODAyMTIzMTEw
WjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZX MxFzAVBgNVBAMTDkpvaGFu
bmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy 1jb25zdWx0LmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4 wlIE1G49hqS9Icb4f9JmbM
+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAvaF7n4AZo
KvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVD x2SPXIgpBXyjx4hOqhvEnV
ORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9H z3mL01SnOF1mGt9EE6vufe
B7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHosunl0IXU
YOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai 5ncmVpbEBzZWMtY29uc3Vs
dC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfOMcr+1a uf
H3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwXV2E+DqX2
cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BOi+0CM7vE
wqztVzCCAvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFAD BiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLj EsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwOD AyMTIzMTEwWhcNMDYwODAy
MTIzMTEwWjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm 9oYW5uZXMxFzAVBgNVBAMT
DkpvaGFubmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZW lsQHNlYy1jb25zdWx0LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAO vtJoQsA4wlIE1G49hqS9Ic
b4f9JmbM+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAv
aF7n4AZoKvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8Vm E88gCpVDx2SPXIgpBXyjx4
hOqhvEnVORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQM M67HXM9Hz3mL01SnOF1mGt
9EE6vufeB7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkN UCa/IJsbPIM8p9w4y6grHo
sunl0IXUYOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBB swGYEXai5ncmVpbEBzZWMt
Y29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfO
Mcr+1aufH3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwX
V2E+DqX2cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BO
i+0CM7vEwqztVzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQ EFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCU NhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZm ljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcm VlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbT AeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQ QKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc2 9uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxK Y8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVI UPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZW VtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdm F0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoU OWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVy WN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZy AoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZy BDQQIDDzw3MAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKo ZIhvcNAQkFMQ8XDTA1MTIx
MTIwMDQzMFowIwYJKoZIhvcNAQkEMRYEFGue+P23lCtud+I0qL ZBXtT4vo8HMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA 0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMG kwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC 4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMPPDcweg YLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3 VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSX NzdWluZyBDQQIDDzw3MA0G
CSqGSIb3DQEBAQUABIIBAHnF8ZdoDaL6go3IHEzKQ0qQRobX0P JfxhQ8sfprSxBixuPXzFp4
Qg8AzMOXTxunDAUJLsPxXRqKvk8C8NY//PnJI1GSOtFKEiLxfeTCUwkZ4Fileppb7Jx9+fba
QbhTyacLmNmQV3CjsEp6E0AD8j1/HYoBPh9e6TFU767mDIpPkZMOAuB+kdW5o8v15Hmib9rH
bg0e7/nj75vz7vEXDQ+BKAnrY2xuOVrcuLFEm+mnhyNVOIOD49faIKJm MmlA/XVoUxTR1elM
cKYkdHEmU3mSApYzNrtsgZUW0lh4cPa1HPi4W7RNKbd1Fk8jO0 BZnh6LFwtcSk9mClcVX/II
xxYAAAAAAAA=
--=_lexx-14544-1134331477-0001-2--