[Tickets #2830] NEW: No validation of data in function getFormData resulit in XSS vulnerability
bugs@bugs.horde.org
bugs at bugs.horde.org
Sun Oct 23 07:20:35 PDT 2005
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=2830
-----------------------------------------------------------------------
Ticket | 2830
Created By | chuanwee at gmail.com
Summary | No validation of data in function getFormData resulit in XSS vulnerability
Queue | Horde Base
Version | 2.2.8
State | Unconfirmed
Priority | 2. Medium
Type | Bug
Owners |
-----------------------------------------------------------------------
chuanwee at gmail.com (2005-10-23 07:20) wrote:
The function in lib/Horde.php getFormData() does not validate input data
hence creating a cross-site scripting vulnerability.
By calling http://mail/css.php/css.php?app=...... this cause the input
data to be send back to the user's browser in lib/Registry.php function
applicationFilePath
when the app is not found.
Horde::fatal(new PEAR_Error(sprintf(_("'%s' is not configured in the Horde
Registry."), $app)), __FILE__, __LINE__);
A temporary workaround to remove '%s' works for me. Hope there is a more
thorough solution.
cheers.
ChuanWee
More information about the bugs
mailing list