[dev] Order by Thread

Chuck Hagenbuch chuck@horde.org
Mon, 18 Mar 2002 14:27:35 -0500


Quoting Federico Giannici <giannici@neomedia.it>:

> After I click on "Order by Thread", how can I return to my default
> ordering (by date received)?

Click on the column headers like you normally do.

> Moreover, I don't like the place were the "Order by Thread" link is
> placed: the other adjacent links operate on the selected messages,
> while that link operates on the entire mailbox view.

Do you have a suggestion for where it ought to be?

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"A dream which helps you to live your reality with dignity
 and justice is a good dream." - Tariq Ramadan


>From nuno@eth.pt Date: 18 Mar 2002 21:36:20 +0000
Return-Path: <nuno@co.eth.pt>
Mailing-List: contact dev-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list dev@lists.horde.org
Received: (qmail 50546 invoked from network); 18 Mar 2002 21:36:43 -0000
Received: from hq.eth.pt (root@194.65.84.1)
  by clark.horde.org with SMTP; 18 Mar 2002 21:36:43 -0000
Received: from dev.hq.eth.pt (dev.hq.eth.pt [10.1.1.10])
	by hq.eth.pt (8.11.6/8.11.6) with ESMTP id g2ILai113390
	for <dev@lists.horde.org>; Mon, 18 Mar 2002 21:36:45 GMT
From: Nuno Loureiro <nuno@eth.pt>
To: dev@lists.horde.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Mailer: Evolution/1.0.2 
Date: 18 Mar 2002 21:36:20 +0000
Message-Id: <1016487381.1129.393.camel@dev.hq.eth.pt>
Mime-Version: 1.0
Subject: cross site scripting bugs

Hi!=20

   It seems imp & horde, probably other horde apps and phplib (for horde
1), still have some security problems, regarding cross site scripting.=20

   It seems that all versions are vulnerable, at least, STABLE_2_2,
HEAD, and RELENG_* are. The problem is that there are variables to
construct links or passed via hidden fields in a form, that are based on
variables passed by GET without htmlspecialchars() them.=20

   I'll not post any "exploits" or how to login in someone's else
account using this bug. You'll probably figure it out. I'll just post
the problems I've found and a possible patch to the 3 versions. I'm not
posting this to any security mailing lists, at least till this subject
is discussed here and a fix has been committed (either mine's or
someone's else).=20

   You can check the examples bellow, to demonstrate these bugs.

   Here's an example for STABLE_2_2:
http://example.com/horde/imp/message.php3?index=3D46255"><script>alert(docu=
ment.cookie)</script>&array_index=3D11=20
or,=20
http://example.com/horde/imp/message.php3?index=3D46255%22%3E%3Cscript%3Eal=
ert(document.cookie)%3C/script%3E&array_index=3D11

   And here's an example for RELENG_3:
http://example.com/horde/imp/mailbox.php?mailbox=3DINBOX"><script>alert(doc=
ument.cookie)</script>
or,
http://example.com/horde/imp/mailbox.php?mailbox=3DINBOX%22%3E%3Cscript%3Ea=
lert(document.cookie)%3C/script%3E

I think this demonstration will pop up a window with horde/imp's cookies
on the 3 versions - STABLE_2_2 , HEAD and RELENG.=20

Lets discuss a bit more the problems and the fixes.

   Let's start with STABLE_2_2:=20

--------- horde/imp/mailbox.php3:=20

   The user can run JS code changing the contents of $sortdir variable.
In horde/imp/templates/mailbox/message_headers.inc, $imp->sortdir is
used to construct the links for sorting. $imp->sortdir is defined in the
constructor of ImpSession class and setSorting() function.=20

   Also, the action field of the forms are $sess->pself_url().=20
If you append "><script>alert(document.cookie)</script> to the url and
you are using netscape 4.x, $sess->pself_url() will return the url you
just wrote not encoded, because netscape 4.x doesn't encode urls.=20
  =20
   Fix: The link is constructed using phplib's Session::purl(). You can
modify Session::url() function to return htmlspecialchars($url) instead
of returning $url. Or you can modify horde/lib/horde.lib and
htmlspecialchar($sortdir) in ImpSession::setSorting() function.=20

--------- horde/imp/message.php3:=20

   The user can run JS code changing the contents of $array_index and
$index variables. In horde/imp/templates/message/navbar*.inc there are 2
hidden inputs, and $index is used to construct the links reply, reply
all, etc, via $sess->purl().=20

   Fix: If you fixed Session::purl() as I wrote earlier, you just need
to htmlspecialchars($index) in navbar.inc and htmlspecialchars() $index
and $array_index in the hidden inputs.

--------- horde/imp/compose.php3:

   Similarly, but with var $index.

   Fix: $index =3D htmlspecialchars($index) in compose.php3

--------- horde/imp/status.php3:  =20

  Recently, it was found that status.php3 had a similiar problem with
$message variable. It seems that $status variable suffers the same
problem.=20

  Fix: htmlspecialchar($status) in horde/imp/templates/status/body.inc=20

--------- horde/imp/login.php3:=20

  The user can run JS code changing the contents of $reason variable.=20

  Fix: htmlspecialchars($reason) in login.php3=20


Now, let's go to RELENG and HEAD:=20

--------- horde/imp/mailbox.php:=20

  Var $page is printed clearly in
horde/imp/templates/mailbox/{message_footers,navbar}.inc, so you can
change its content and run JS code. Var $mailbox suffers the same problem i=
n horde/imp/templates/mailbox

  Fix: add $page =3D Horde::getFormData('page') in mailbox.php
 =20
--------- horde/imp/compose.php:  =20

  Vars $references and $in_reply_to, found in spell check (actionID=3D131)
have the same problem in horde/imp/templates/compose/spelling.inc.

 Fix: htmlspecialchars($reference) and htmlspecialchars($in_reply_to) in
spelling.inc


You can find the patches described in this email here:

 http://hq.eth.pt/nuno/horde/patch_CCSB-RELENG.gz
 http://hq.eth.pt/nuno/horde/patch_CCSB-STABLE.gz

You can apply patch_CCSB-RELENG to HEAD. At least, it just worked for
me.

The patches were done using cvs diff -u.

Any comments are more then welcome.

Regards,

  Nuno

PS: Talking with Chuck on IRC, he told me that changing return in $sess->ur=
l() function should be avoided.=20
Not changing it, there are more variables that can be exploited. There was =
a problem with the original patch for RELENG, so I did
a new one, so there are more variables with the same problem for sure.

More on this subject to come...

--=20
Nuno Loureiro <nuno@eth.pt>
Ethernet, Solu=E7=F5es Inform=E1ticas, LDA
http://www.eth.pt