[Tickets #8399] Re: Number preferences are not validated properly
bugs at horde.org
bugs at horde.org
Sat Jul 11 21:08:06 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8399
------------------------------------------------------------------------------
Ticket | 8399
Updated By | Chuck Hagenbuch <chuck at horde.org>
-Summary | Multiple Cross Site Scripting Vulnerabilities
+Summary | Number preferences are not validated properly
Queue | Horde Base
-Version | 3.1
+Version | HEAD
Type | Bug
-State | Unconfirmed
+State | Assigned
Priority | 2. Medium
-Milestone |
+Milestone | 3.3.5
Patch |
-Owners |
+Owners | Horde Developers, Chuck Hagenbuch
------------------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2009-07-11 17:08) wrote:
> Multiple cross site scripting vulnerabilites exist. Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable
version is 3.3, and we backport serious security fixes to 3.2.
> http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
> https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
> https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>
This was fixed almost 2 years ago, before 3.2.0:
http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9
> POST to http://hordeserver.com/horde/services/prefs.php with the
> following content:
>
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on
This I can actually reproduce as a problem. Patch forthcoming.
More information about the bugs
mailing list