Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 14:54:53 +0200
Package: horde3
Version: 3.1.3-4etch3
Severity: important
Tags: patch security
Hello,
There is a small XSS/unescaped output (only exploitable by
someone who can create a contact, and requiring the victim to
have access to that contact).
Patch inline:
Index: services/obrowser/index.php
===================================================================
RCS file: /repository/horde/services/obrowser/index.php,v
retrieving revision 1.18
diff -u -r1.18 index.php
--- services/obrowser/index.php 2 Jan 2008 11:13:57 -0000 1.18
+++ services/obrowser/index.php 13 Jun 2008 21:37:43 -0000
@@ -92,10 +92,10 @@
if (!empty($values['browseable'])) {
$url = Horde::url($registry->get('webroot', 'horde') . '/services/obrowser/');
$url = Util::addParameter($url, 'path', $path);
- $row['name'] = Horde::link($url) . $values['name'] . '</a>';
+ $row['name'] = Horde::link($url) . htmlspecialchars($values['name']) . '</a>';
} else {
$js = "return chooseObject('" . addslashes($path) . "');";
- $row['name'] = Horde::link('#', sprintf(_("Choose %s"), $values['name']), '', '', $js) . $values['name'] . '</a>';
+ $row['name'] = Horde::link('#', sprintf(_("Choose %s"), $values['name']), '', '', $js) . htmlspecialchars($values['name']) . '</a>';
}
$rows[] = $row;
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 15:23]:
> There is a small XSS/unescaped output (only exploitable by
> someone who can create a contact, and requiring the victim to
> have access to that contact).
[...]
This seems to be already fixed in unstable. Which version
did fix this? I can't see an old CVE id describing this
problem, is a new CVE id needed for this one?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 15:52:30 +0200
Hi,
On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote:
> This seems to be already fixed in unstable.
Yes, sure! This issue is only for etch.
> Which version did fix this?
3.2.1+debian0-1 fixed it.
> I can't see an old CVE id describing this problem, is a new CVE
> id needed for this one?
There is no CVE id for it. I'm not sure Debian needs a new CVE id
because upstream said only Horde 3.2 and Turba 2.2 are affected
(this versions are *not* in Debian). Today I'm reviewing old
issues and I find Horde 3.1 could also be affected: I sent
mail to upstream to ask confirmation. I propose you to wait his
answer.
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 16:42]:
> On Sun, Jul 27, 2008 at 03:31:37PM +0200, Nico Golde wrote:
> > Which version did fix this?
>
> 3.2.1+debian0-1 fixed it.
Thanks
> > I can't see an old CVE id describing this problem, is a new CVE
> > id needed for this one?
>
> There is no CVE id for it. I'm not sure Debian needs a new CVE id
> because upstream said only Horde 3.2 and Turba 2.2 are affected
> (this versions are *not* in Debian).
But they were in the archive and other vendors might still have them in
their archive. I also added 2.2.1-1 as the fixed version in
the security tracker and requested a CVE id.
Cheers
Nico
P.S. Please mention such fixes as security fixes in the
changelog next time so we can get them easier on our
radars.
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#492578: horde3: Small XSS/unescaped output in services/obrowser/index.php
Date: Sun, 27 Jul 2008 17:48:50 +0200
Hi,
On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote:
> > > I can't see an old CVE id describing this problem, is a new CVE
> > > id needed for this one?
> >
> > There is no CVE id for it. I'm not sure Debian needs a new CVE id
> > because upstream said only Horde 3.2 and Turba 2.2 are affected
> > (this versions are *not* in Debian).
>
> But they were in the archive and other vendors might still have them in
> their archive. I also added 2.2.1-1 as the fixed version in
> the security tracker and requested a CVE id.
No, these versions were never in the archive.
But yes, other vendors could be affected.
> P.S. Please mention such fixes as security fixes in the
> changelog next time so we can get them easier on our
> radars.
Even if the version affected was not in Debian?
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-07-27 18:49]:
> On Sun, Jul 27, 2008 at 05:38:20PM +0200, Nico Golde wrote:
> > > > I can't see an old CVE id describing this problem, is a new CVE
> > > > id needed for this one?
> > >
> > > There is no CVE id for it. I'm not sure Debian needs a new CVE id
> > > because upstream said only Horde 3.2 and Turba 2.2 are affected
> > > (this versions are *not* in Debian).
> >
> > But they were in the archive and other vendors might still have them in
> > their archive. I also added 2.2.1-1 as the fixed version in
> > the security tracker and requested a CVE id.
>
> No, these versions were never in the archive.
> But yes, other vendors could be affected.
Now I am confused why you opened the bug report then :)
Anyway, every security issue should get a CVE id.
Even if no version in Debian was affected by this it helps
us to track the security issue.
> > P.S. Please mention such fixes as security fixes in the
> > changelog next time so we can get them easier on our
> > radars.
>
> Even if the version affected was not in Debian?
No, sure not. I just saw you mentioned it in the turba
changelog (not as security fix) and not in the horde
changelog.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi,
a CVE id has been assigned to this issue:
======================================================
Name: CVE-2008-3330
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3330
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492578
Cross-site scripting (XSS) vulnerability in
services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote
attackers to inject arbitrary web script or HTML via the contact name.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: [chuck@horde.org: Re: [horde-vendor] Pending release of Horde 3.2.1 and Turba 2.2.1]
Date: Tue, 29 Jul 2008 21:26:16 +0200
Hi,
I've the confirmation from upstream that horde3 from stable is affected.
Regards,
----- Forwarded message from Chuck Hagenbuch <chuck@horde.org> -----
Date: Mon, 28 Jul 2008 00:35:05 -0400
From: Chuck Hagenbuch <chuck@horde.org>
To: Gregory Colpart <reg@evolix.fr>
Subject: Re: [horde-vendor] Pending release of Horde 3.2.1 and Turba 2.2.1
Message-ID: <20080728003505.131045q34qn0lrwg@technest.org>
References: <20080613174043.17513zvzso5nca4g@technest.org>
<20080727150729.onganohv@hamtrap.sc420.evolix.net>
User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs)
Quoting Gregory Colpart <reg@evolix.fr>:
>I'm reviewing this issue to see if Horde 3.1 and Turba 2.1 are
>affected. Here are the results:
>
>- Horde 3.1 seems to be concerned (your patch for
> 'services/obrowser/index.php' file just works).
>
>- Turba 2.1 is not. 'contact.php' file doesn't exist, code is in
> 'browse.php' and 'templates/browse/header.inc':
>
>browse.php:
>--8<--
> $title = sprintf(_("Contacts in list: %s"),
> $list->getValue('name'));
>--8<--
>
>templates/browse/header.inc:
>--8<--
><h1 class="header">
> <?php echo htmlspecialchars($title) ?>
></h1>
>--8<--
>
> I think Turba 2.1 is not affected.
Correct.
>Can you confirm me this results? If yes, do you think Horde 3.1
>needs be patched anyway?
We released Horde 3.1.8 at the same time as 3.2.1 for this reason.
-chuck
----- End forwarded message -----
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hello,
The package horde3 has a vulnerability (See CVE-2008-3330 and
#492578).
I prepared fixed package for etch version (source package and
debdiff):
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dschttp://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff
Information for the advisory:
8<----------------------------------
horde3 -- cross-site scripting vulnerability
Date Reported:
?? Aug 2008
Affected Packages:
horde3
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2008-3330
More information:
It was discovered that the Horde web application framework
has insufficient input sanitising in services/obrowser/index.php
(CVE-2008-3330).
For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.
The unstable distribution (sid) is not affected.
We recommend that you upgrade your horde3 package.
8<----------------------------------
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Gregory,
* Gregory Colpart <reg@evolix.fr> [2008-08-17 13:20]:
> The package horde3 has a vulnerability (See CVE-2008-3330 and
> #492578).
>
> I prepared fixed package for etch version (source package and
> debdiff):
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff
Looks good to me. Thanks for the work. Feel free to upload
this to security-master so someone from the stable team can
release it.
[...]
> For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.
>
> The unstable distribution (sid) is not affected.
This is wrong, it is fixed in 3.2.1+debian0-1. Not affected
is only used if the package in Debian was never affected
because of a specific reason, like for example patched code.
If a vulnerable version was never in unstable we still
include version numbers for the tracker.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>: Bug#492578; Package horde3.
(full text, mbox, link).
Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Nico,
On Sun, Aug 17, 2008 at 01:36:24PM +0200, Nico Golde wrote:
> > I prepared fixed package for etch version (source package and
> > debdiff):
> > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4.dsc
> > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch3_3.1.3-4etch4.diff
>
> Looks good to me. Thanks for the work. Feel free to upload
> this to security-master so someone from the stable team can
> release it.
Ok but IANyADD (currently in NM), then I think it's not yet relevant.
> [...]
> > For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch4.
> >
> > The unstable distribution (sid) is not affected.
>
> This is wrong, it is fixed in 3.2.1+debian0-1. Not affected
> is only used if the package in Debian was never affected
> because of a specific reason, like for example patched code.
> If a vulnerable version was never in unstable we still
> include version numbers for the tracker.
Oops, I note that for my next draft of advisory!
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
Tags added: pending
Request was from Gregory Colpart <reg@evolix.fr>
to control@bugs.debian.org.
(Tue, 19 Aug 2008 07:39:15 GMT) (full text, mbox, link).
Reply sent
to Gregory Colpart <reg@evolix.fr>:
You have taken responsibility.
(Sun, 26 Apr 2009 01:54:06 GMT) (full text, mbox, link).
Notification sent
to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer.
(Sun, 26 Apr 2009 01:54:06 GMT) (full text, mbox, link).
Source: horde3
Source-Version: 3.1.3-4etch5
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:
horde3_3.1.3-4etch5.diff.gz
to pool/main/h/horde3/horde3_3.1.3-4etch5.diff.gz
horde3_3.1.3-4etch5.dsc
to pool/main/h/horde3/horde3_3.1.3-4etch5.dsc
horde3_3.1.3-4etch5_all.deb
to pool/main/h/horde3/horde3_3.1.3-4etch5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 492578@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Jan 2009 03:17:37 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.1.3-4etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description:
horde3 - horde web application framework
Closes: 492578512592513265
Changes:
horde3 (3.1.3-4etch5) oldstable-security; urgency=high
.
* Backport a patch from Horde upstream to fix an IE-only hole in XSS filter
(See CVE-2008-5917 for more information). (Closes: #512592)
* Backport a patch from Horde upstream to fix a file inclusion issue in
Horde_Image driver name (Image/Image.php). (Closes: #513265)
* Fix small XSS/unescaped output vulnerability in services/obrowser/index.php
(see CVE-2008-3330 for more informations). (Closes: #492578)
Checksums-Sha1:
4737899db54692f66244a11d869172126b4fb998 1076 horde3_3.1.3-4etch5.dsc
43dda35c02ec503fcbff42ee1f07187edb2bde24 13749 horde3_3.1.3-4etch5.diff.gz
0be19171ea216a60ebd21c5bda24a6c25d363e03 5274074 horde3_3.1.3-4etch5_all.deb
Checksums-Sha256:
a245387839313fb208accc2bd018e19bc5be464cad1a6a269f43a0a866f493e2 1076 horde3_3.1.3-4etch5.dsc
0b4f4fb788e890c4cb66bcb89a3ba6257ed397f98c230ecd2136a95057e7aab1 13749 horde3_3.1.3-4etch5.diff.gz
6533c12f50134550558b54894536f32f66c455288ded8c730673bee1045ca0f6 5274074 horde3_3.1.3-4etch5_all.deb
Files:
c6082f3a21860b6b65b7edc4c58b0c07 1076 web optional horde3_3.1.3-4etch5.dsc
d7ad332e2f535b9df1ab49bd9c7233fa 13749 web optional horde3_3.1.3-4etch5.diff.gz
e4cfd0484345a153c33481101472a1fe 5274074 web optional horde3_3.1.3-4etch5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknY8iUACgkQMhdcDcECeg5ZGQCfSpIZtGiyXj+E1a22wtZIS7kE
+PgAn1BAMoGxJ0iJjLc/fWJqovUXY1Qv
=y3R8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 May 2009 07:35:19 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.