[pkg-horde] Bug#513265: horde3: security issues via util/barcode.php and services/portal/cloud_search.php

Gregory Colpart reg at evolix.fr
Tue Jan 27 18:21:04 UTC 2009 

Package: horde3
Version: 3.2.2+debian0-1
Severity: important
Tags: patch security

Hello,

Infos from upstream:

* File Inclusion issue via util/barcode.php
The file Image.php passes an unvalidated filename to a dynamic
include statement on line 559. Allowing unvalidated user input to
to control files that are included dynamically in PHP can lead to
malicious code execution. (fix is in the Horde_Image package)

* There is a small XSS/unescaped output (only exploitable by
someone who can create a contact, and requiring the victim to
have access to that contact).

Patches inline:

Index: framework/Image/Image.php
===================================================================
RCS file: /repository/framework/Image/Image.php,v
retrieving revision 1.39.10.17
diff -u -r1.39.10.17 Image.php
--- framework/Image/Image.php   6 Jun 2008 04:17:20 -0000       1.39.10.17
+++ framework/Image/Image.php   21 Jan 2009 22:09:31 -0000
@@ -551,6 +551,7 @@
             list($app, $driver) = $driver;
         }

+        $driver = basename($driver);
         $class = 'Horde_Image_' . $driver;
         if (!class_exists($class)) {
             if (!empty($app)) {
Index: services/portal/cloud_search.php
===================================================================
RCS file: /repository/horde/services/portal/cloud_search.php,v
retrieving revision 1.1.2.2
diff -u -r1.1.2.2 cloud_search.php
--- services/portal/cloud_search.php    2 Jan 2008 11:32:37 -0000       1.1.2.2
+++ services/portal/cloud_search.php    21 Jan 2009 22:09:32 -0000
@@ -28,7 +28,7 @@
 $results = array_merge($results, $registry->call('news/searchTags',
                                                  array(array($tag))));
 echo '<div class="control"><strong>'
-    . sprintf(_("Results for %s"), '<span style="font-style:italic">' . $tag . '</span>')
+    . sprintf(_("Results for %s"), '<span style="font-style:italic">' . htmlspecialchars($tag) . '</span>')
     . '</strong>'
     . Horde::link('#', '', '', '', '$(\'cloudsearch\').hide();', '', '', array('style' => 'font-size:75%;'))
     . '(' . _("Hide Results") . ')</a></span></div><ul class="linedRow">';


Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

More information about the pkg-horde-hackers mailing list