[pkg-horde] Bug#434045: security-bug informations for horde3 package
Ola Lundqvist
ola at opalsys.net
Sun Jul 22 12:14:54 UTC 2007
Hi
What the attacker can do is the following:
* Set up a fake site.
* Trick some user to go to that site.
* Redirect the user to the real site and inject some fake login code or
similar.
There are proof on security focus that it is possible:
[Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=%22alert%28'XSS'%29%3B
I could not really understand how that is possible as the only place
where the code do not look like this:
isset($GLOBALS['nls']['rtl'][$GLOBALS['language']]
is in the mobild device handling code... However I have tested myself and
yes it is possible to do this kind of XSS things, so it must be some other
variable that is set somewhere.
In any case I'm uploading the sid version now.
Regards,
// Ola
On Sun, Jul 22, 2007 at 09:06:48AM +0200, Gregory Colpart wrote:
> Hello,
>
> The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045).
> Affected versions are:
> - sarge version (3.0.4-4sarge4)
> - etch version (3.1.3-4)
> - tesing/unstable version (3.1.3-5)
>
>
> Upstream patch is trivial
> (http://bugs.horde.org/ticket/?id=4816):
>
> 8<----------------------------------
> - } elseif (!empty($lang)) {
> + } elseif (!empty($lang) && NLS::isValid($lang)) {
> 8<----------------------------------
>
>
> I prepared fixed packages:
>
> - sarge version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff
>
> - etch version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff
>
> - unstable version
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc
> http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff
>
> Note that I'm member of pkg-horde team but I'm not DD, then
> I am waiting my sponsor upload unstable package.
>
>
> If you want to test the vulnerability, you could go to:
> http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B
> (I can provide you vulnerable URL in private if you want)
>
>
> Information for the advisory:
>
> 8<----------------------------------
> horde3 -- XSS vulnerability
>
> Date Reported:
> ?? Jul 2007
> Affected Packages:
> horde3
> Vulnerable:
> Yes
> Security database references:
> In Mitre's CVE dictionary: CVE-2007-1473
> More information:
>
> It was discovered that the Horde web application framework has a cross-site
> scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers
> to inject arbitrary web script or HTML via the new_lang parameter.
>
> The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5.
>
> For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1.
>
> For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1.
>
> We recommend that you upgrade your horde3 package.
> 8<----------------------------------
>
>
> Regards,
> --
> Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
>
--
--- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/ ola at opalsys.net Annebergsslingan 37 \
| opal at debian.org 654 65 KARLSTAD |
| http://opalsys.net/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the pkg-horde-hackers
mailing list