[pkg-horde] Latest Horde security problems

Gregory Colpart reg at evolix.fr
Wed Jun 27 00:17:36 UTC 2007


On Thu, Jun 21, 2007 at 02:29:39PM +0200, Lionel Elie Mamane wrote:
> > please note that this issue from upstream changelog is still unfixed
> > in Etch:
> > - Fixed an XSS vulnerability in the language selection.
> > Also, please work on a Sarge update.

Jan Schneider (Horde upstream) says "I'm not sure how this could
be exploited with XSS" about this patch[*]. I investiguate: an
attacker could inject data in a particular PHP SESSION variable
*but* the only use of this variable is to be compared with
definite values.

I'm not a guru of XSS vulnerabilities but I think there is no
need of security updates for this changelog line.

[*] http://bugs.horde.org/ticket/?id=4816

Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

More information about the pkg-horde-hackers mailing list