Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi, On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote: P.S. Please mention such fixes as security fixes in the changelog next time so we can get them easier on our radars. It will be on next upload in unstable: http://arch.debian.org/cgi-bin/archzoom.cgi/[EMAIL PROTECTED]/horde--sid--3--patch-116/debian/changelog Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Package: horde3
Version: 3.1.3-4etch3
Severity: important
Tags: patch security
Hello,
There is a small XSS/unescaped output (only exploitable by
someone who can create a contact, and requiring the victim to
have access to that contact).
Patch inline:
Index: services/obrowser/index.php
===
RCS file: /repository/horde/services/obrowser/index.php,v
retrieving revision 1.18
diff -u -r1.18 index.php
--- services/obrowser/index.php 2 Jan 2008 11:13:57 - 1.18
+++ services/obrowser/index.php 13 Jun 2008 21:37:43 -
@@ -92,10 +92,10 @@
if (!empty($values['browseable'])) {
$url = Horde::url($registry-get('webroot', 'horde') .
'/services/obrowser/');
$url = Util::addParameter($url, 'path', $path);
-$row['name'] = Horde::link($url) . $values['name'] . '/a';
+$row['name'] = Horde::link($url) . htmlspecialchars($values['name']) .
'/a';
} else {
$js = return chooseObject(' . addslashes($path) . ');;
-$row['name'] = Horde::link('#', sprintf(_(Choose %s),
$values['name']), '', '', $js) . $values['name'] . '/a';
+$row['name'] = Horde::link('#', sprintf(_(Choose %s),
$values['name']), '', '', $js) . htmlspecialchars($values['name']) . '/a';
}
$rows[] = $row;
Regards,
--
Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi Gregory, * Gregory Colpart [EMAIL PROTECTED] [2008-07-27 15:23]: There is a small XSS/unescaped output (only exploitable by someone who can create a contact, and requiring the victim to have access to that contact). [...] This seems to be already fixed in unstable. Which version did fix this? I can't see an old CVE id describing this problem, is a new CVE id needed for this one? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp09HBEgC2ZM.pgp Description: PGP signature
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi, On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote: This seems to be already fixed in unstable. Yes, sure! This issue is only for etch. Which version did fix this? 3.2.1+debian0-1 fixed it. I can't see an old CVE id describing this problem, is a new CVE id needed for this one? There is no CVE id for it. I'm not sure Debian needs a new CVE id because upstream said only Horde 3.2 and Turba 2.2 are affected (this versions are *not* in Debian). Today I'm reviewing old issues and I find Horde 3.1 could also be affected: I sent mail to upstream to ask confirmation. I propose you to wait his answer. Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi Gregory, * Gregory Colpart [EMAIL PROTECTED] [2008-07-27 16:42]: On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote: Which version did fix this? 3.2.1+debian0-1 fixed it. Thanks I can't see an old CVE id describing this problem, is a new CVE id needed for this one? There is no CVE id for it. I'm not sure Debian needs a new CVE id because upstream said only Horde 3.2 and Turba 2.2 are affected (this versions are *not* in Debian). But they were in the archive and other vendors might still have them in their archive. I also added 2.2.1-1 as the fixed version in the security tracker and requested a CVE id. Cheers Nico P.S. Please mention such fixes as security fixes in the changelog next time so we can get them easier on our radars. -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpfuXFnZpO4r.pgp Description: PGP signature
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi, On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote: I can't see an old CVE id describing this problem, is a new CVE id needed for this one? There is no CVE id for it. I'm not sure Debian needs a new CVE id because upstream said only Horde 3.2 and Turba 2.2 are affected (this versions are *not* in Debian). But they were in the archive and other vendors might still have them in their archive. I also added 2.2.1-1 as the fixed version in the security tracker and requested a CVE id. No, these versions were never in the archive. But yes, other vendors could be affected. P.S. Please mention such fixes as security fixes in the changelog next time so we can get them easier on our radars. Even if the version affected was not in Debian? Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Hi Gregory, * Gregory Colpart [EMAIL PROTECTED] [2008-07-27 18:49]: On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote: I can't see an old CVE id describing this problem, is a new CVE id needed for this one? There is no CVE id for it. I'm not sure Debian needs a new CVE id because upstream said only Horde 3.2 and Turba 2.2 are affected (this versions are *not* in Debian). But they were in the archive and other vendors might still have them in their archive. I also added 2.2.1-1 as the fixed version in the security tracker and requested a CVE id. No, these versions were never in the archive. But yes, other vendors could be affected. Now I am confused why you opened the bug report then :) Anyway, every security issue should get a CVE id. Even if no version in Debian was affected by this it helps us to track the security issue. P.S. Please mention such fixes as security fixes in the changelog next time so we can get them easier on our radars. Even if the version affected was not in Debian? No, sure not. I just saw you mentioned it in the turba changelog (not as security fix) and not in the horde changelog. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpZoGvcS6ZpA.pgp Description: PGP signature
