[pkg-horde] Bug#513266: imp4: XSS via {smime,pgp}.php

Gregory Colpart reg at evolix.fr
Tue Jan 27 18:21:22 UTC 2009 

Package: imp4
Version: 4.2-3
Severity: important
Tags: patch security

Hello,

Patch inline :

Index: imp/pgp.php
===================================================================
RCS file: /repository/imp/pgp.php,v
retrieving revision 2.79.6.15
diff -u -r2.79.6.15 pgp.php
--- imp/pgp.php 11 Apr 2008 20:50:42 -0000      2.79.6.15
+++ imp/pgp.php 21 Jan 2009 21:57:31 -0000
@@ -40,7 +40,7 @@
     $t->set('symmetric', $symmetric);
     $t->set('submit_url', Util::addParameter(Horde::applicationUrl('pgp.php'), 'actionID', $symmetric ?
+'process_symmetric_passphrase_dialog' : 'process_passphrase_dialog'));
     $t->set('reload', htmlspecialchars(Util::getFormData('reload')));
-    $t->set('action', Util::getFormData('passphrase_action'));
+    $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
     $t->set('locked_img', Horde::img('locked.png', _("PGP"), null, $GLOBALS['registry']->getImageDir('horde')));
     echo $t->fetch(IMP_TEMPLATES . '/pgp/passphrase.html');
 }
@@ -66,7 +66,7 @@

 function _reloadWindow()
 {
-    Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+    Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
 }

 function _getImportKey()
Index: imp/smime.php
===================================================================
RCS file: /repository/imp/smime.php,v
retrieving revision 2.48.4.12
diff -u -r2.48.4.12 smime.php
--- imp/smime.php       8 Apr 2008 04:48:53 -0000       2.48.4.12
+++ imp/smime.php       21 Jan 2009 21:57:31 -0000
@@ -63,7 +63,7 @@
     $t->setOption('gettext', true);
     $t->set('submit_url', Util::addParameter(Horde::applicationUrl('smime.php'), 'actionID',
+'process_passphrase_dialog'));
     $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload'))));
-    $t->set('action', Util::getFormData('passphrase_action'));
+    $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
     $t->set('locked_img', Horde::img('locked.png', _("S/MIME"), null, $GLOBALS['registry']->getImageDir('horde')));
     echo $t->fetch(IMP_TEMPLATES . '/smime/passphrase.html');
 }
@@ -79,7 +79,7 @@

 function _reloadWindow()
 {
-    Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+    Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
 }

 function _textWindowOutput($filename, $msg, $html = false)


Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

More information about the pkg-horde-hackers mailing list