[pkg-horde] Bug#513266: imp4: XSS via {smime,pgp}.php
Gregory Colpart
reg at evolix.fr
Tue Jan 27 18:21:22 UTC 2009
Package: imp4
Version: 4.2-3
Severity: important
Tags: patch security
Hello,
Patch inline :
Index: imp/pgp.php
===================================================================
RCS file: /repository/imp/pgp.php,v
retrieving revision 2.79.6.15
diff -u -r2.79.6.15 pgp.php
--- imp/pgp.php 11 Apr 2008 20:50:42 -0000 2.79.6.15
+++ imp/pgp.php 21 Jan 2009 21:57:31 -0000
@@ -40,7 +40,7 @@
$t->set('symmetric', $symmetric);
$t->set('submit_url', Util::addParameter(Horde::applicationUrl('pgp.php'), 'actionID', $symmetric ?
+'process_symmetric_passphrase_dialog' : 'process_passphrase_dialog'));
$t->set('reload', htmlspecialchars(Util::getFormData('reload')));
- $t->set('action', Util::getFormData('passphrase_action'));
+ $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
$t->set('locked_img', Horde::img('locked.png', _("PGP"), null, $GLOBALS['registry']->getImageDir('horde')));
echo $t->fetch(IMP_TEMPLATES . '/pgp/passphrase.html');
}
@@ -66,7 +66,7 @@
function _reloadWindow()
{
- Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+ Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
}
function _getImportKey()
Index: imp/smime.php
===================================================================
RCS file: /repository/imp/smime.php,v
retrieving revision 2.48.4.12
diff -u -r2.48.4.12 smime.php
--- imp/smime.php 8 Apr 2008 04:48:53 -0000 2.48.4.12
+++ imp/smime.php 21 Jan 2009 21:57:31 -0000
@@ -63,7 +63,7 @@
$t->setOption('gettext', true);
$t->set('submit_url', Util::addParameter(Horde::applicationUrl('smime.php'), 'actionID',
+'process_passphrase_dialog'));
$t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload'))));
- $t->set('action', Util::getFormData('passphrase_action'));
+ $t->set('action', htmlspecialchars(Util::getFormData('passphrase_action')));
$t->set('locked_img', Horde::img('locked.png', _("S/MIME"), null, $GLOBALS['registry']->getImageDir('horde')));
echo $t->fetch(IMP_TEMPLATES . '/smime/passphrase.html');
}
@@ -79,7 +79,7 @@
function _reloadWindow()
{
- Util::closeWindowJS('opener.focus();opener.location.href="' . Util::getFormData('reload') . '";');
+ Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(Util::getFormData('reload')) . '";');
}
function _textWindowOutput($filename, $msg, $html = false)
Regards,
--
Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
More information about the pkg-horde-hackers
mailing list