Debian Bug report logs - #513266
imp4: XSS via {smime,pgp}.php

version graph

Package: imp4; Maintainer for imp4 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Gregory Colpart <reg@evolix.fr>

Date: Tue, 27 Jan 2009 18:24:07 UTC

Severity: important

Tags: patch, security

Found in version imp4/4.2-3

Fixed in version imp4/4.2-4

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513266; Package imp4. (Tue, 27 Jan 2009 18:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Tue, 27 Jan 2009 18:24:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: submit@bugs.debian.org
Subject: imp4: XSS via {smime,pgp}.php
Date: Tue, 27 Jan 2009 19:21:22 +0100
Package: imp4
Version: 4.2-3
Severity: important
Tags: patch security

Hello,

Patch inline :

Index: imp/pgp.php
===================================================================
RCS file: /repository/imp/pgp.php,v
retrieving revision 2.79.6.15
diff -u -r2.79.6.15 pgp.php
--- imp/pgp.php 11 Apr 2008 20:50:42 -0000      2.79.6.15
+++ imp/pgp.php 21 Jan 2009 21:57:31 -0000
@@ -40,7 +40,7 @@
     $t->set('symmetric', $symmetric);
     $t->set('submit_url', Util::addParameter(Horde::applicationUrl('pgp.php'), 'actionID', $symmetric ?
+'process_symmetric_passphrase_dialog' : 'process_passphrase_dialog'));
     $t->set('reload', htmlspecialchars(Util::getFormData('reload')));
-    $t->set('action', Util::getFormData('passphrase_action'));
+    $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
     $t->set('locked_img', Horde::img('locked.png', _("PGP"), null, $GLOBALS['registry']->getImageDir('horde')));
     echo $t->fetch(IMP_TEMPLATES . '/pgp/passphrase.html');
 }
@@ -66,7 +66,7 @@

 function _reloadWindow()
 {
-    Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+    Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
 }

 function _getImportKey()
Index: imp/smime.php
===================================================================
RCS file: /repository/imp/smime.php,v
retrieving revision 2.48.4.12
diff -u -r2.48.4.12 smime.php
--- imp/smime.php       8 Apr 2008 04:48:53 -0000       2.48.4.12
+++ imp/smime.php       21 Jan 2009 21:57:31 -0000
@@ -63,7 +63,7 @@
     $t->setOption('gettext', true);
     $t->set('submit_url', Util::addParameter(Horde::applicationUrl('smime.php'), 'actionID',
+'process_passphrase_dialog'));
     $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload'))));
-    $t->set('action', Util::getFormData('passphrase_action'));
+    $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
     $t->set('locked_img', Horde::img('locked.png', _("S/MIME"), null, $GLOBALS['registry']->getImageDir('horde')));
     echo $t->fetch(IMP_TEMPLATES . '/smime/passphrase.html');
 }
@@ -79,7 +79,7 @@

 function _reloadWindow()
 {
-    Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+    Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
 }

 function _textWindowOutput($filename, $msg, $html = false)


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513266; Package imp4. (Wed, 28 Jan 2009 08:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 28 Jan 2009 08:24:06 GMT) Full text and rfc822 format available.

Message #10 received at 513266@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: 513266@bugs.debian.org
Subject: imp4: XSS via {smime,pgp}.php
Date: Wed, 28 Jan 2009 09:22:53 +0100
Hi!

Upstream changelog and announcement also mentions message.php:
http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.301.2.1&r2=1.699.2.301.2.4&ty=h

So probably this one too:
http://cvs.horde.org/diff.php/imp/message.php?r1=2.560.4.56&r2=2.560.4.56.4.1

HTH

-- 
Tomas Hoger




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513266; Package imp4. (Wed, 28 Jan 2009 12:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Wed, 28 Jan 2009 12:12:07 GMT) Full text and rfc822 format available.

Message #15 received at 513266@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Tomas Hoger <thoger@redhat.com>, 513266@bugs.debian.org
Subject: Re: [pkg-horde] Bug#513266: imp4: XSS via {smime,pgp}.php
Date: Wed, 28 Jan 2009 13:10:35 +0100
Hi,

On Wed, Jan 28, 2009 at 09:22:53AM +0100, Tomas Hoger wrote:
> 
> Upstream changelog and announcement also mentions message.php:
> http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.301.2.1&r2=1.699.2.301.2.4&ty=h
> 
> So probably this one too:
> http://cvs.horde.org/diff.php/imp/message.php?r1=2.560.4.56&r2=2.560.4.56.4.1

Exactly, thanks!

I'm preparing uploads for horde3 and imp4 packages today.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513266; Package imp4. (Thu, 29 Jan 2009 03:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 29 Jan 2009 03:09:38 GMT) Full text and rfc822 format available.

Message #20 received at 513266@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 513266@bugs.debian.org
Subject: Dediff for stable-security
Date: Thu, 29 Jan 2009 04:04:46 +0100
Hello,

Etch is also impacted by this bug. Dediff is here:
http://gcolpart.evolix.net/debian/imp4/imp4_4.1.3-4_4.1.3-4etch1.diff

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Thu, 29 Jan 2009 03:27:02 GMT) Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. (Thu, 29 Jan 2009 03:27:03 GMT) Full text and rfc822 format available.

Message #25 received at 513266-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 513266-close@bugs.debian.org
Subject: Bug#513266: fixed in imp4 4.2-4
Date: Thu, 29 Jan 2009 03:02:18 +0000
Source: imp4
Source-Version: 4.2-4

We believe that the bug you reported is fixed in the latest version of
imp4, which is due to be installed in the Debian FTP archive:

imp4_4.2-4.diff.gz
  to pool/main/i/imp4/imp4_4.2-4.diff.gz
imp4_4.2-4.dsc
  to pool/main/i/imp4/imp4_4.2-4.dsc
imp4_4.2-4_all.deb
  to pool/main/i/imp4/imp4_4.2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513266@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated imp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 02:38:27 +0100
Source: imp4
Binary: imp4
Architecture: source all
Version: 4.2-4
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 imp4       - webmail component for horde framework
Closes: 513266
Changes: 
 imp4 (4.2-4) unstable; urgency=high
 .
   * Include patches from Horde upstream to fix unescaped output in several
     scripts (imp/{smime,pgp}.php and message.php). (Closes: #513266)
Checksums-Sha1: 
 5efbc4a7a41b8f2e098b68021f92f7fa8ef9cc78 1091 imp4_4.2-4.dsc
 29a562900e5f2b778b3285ede3818332447bd0d0 14993 imp4_4.2-4.diff.gz
 82fd3e41c936da3b5f77bb1f8474c9014cdba07a 4932510 imp4_4.2-4_all.deb
Checksums-Sha256: 
 6bb5688b049ffb5ffc3cc01a43db944a3d8bfd3f4cccbab25a0cb0d95ea828d5 1091 imp4_4.2-4.dsc
 8d6a963dbbf8379c01bc071281c64d85e5f5eee5e29313d27a45b7c62a84f867 14993 imp4_4.2-4.diff.gz
 b6b10816ea7c63ca745020c5e3f9e228b449c68c67fe05b1052315a91c195d1f 4932510 imp4_4.2-4_all.deb
Files: 
 8a6165753abf03f7cc45fc26de4b6bd3 1091 web optional imp4_4.2-4.dsc
 47ba79b559395cea2adc264580082465 14993 web optional imp4_4.2-4.diff.gz
 eff2ce94796bf04d66c61a303179c5bd 4932510 web optional imp4_4.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmBDgoACgkQMhdcDcECeg74ewCfSZm1etF+xijEu4n7UC+RdLYS
SbEAn0IiP61AB7JqVGUz3roVoQ1YlAS4
=9kvA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Mar 2009 07:32:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:39:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.