[#6906] The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Summary The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Queue Horde Base
Queue Version 3.2
Type Bug
State Resolved
Priority 2. Medium
Owners Chuck Hagenbuch <chuck (at) horde (dot) org>
Requester nicolas (dot) kerschenbaum (at) xmcopartners (dot) com
Created 06/12/2008 (125 days ago)
Due 06/10/2008 (127 days ago)
Updated 06/13/2008 (124 days ago)
Assigned 06/12/2008 (125 days ago)
Resolved 06/13/2008 (124 days ago)
Attachments xss.png Download
Milestone
Patch No

History
06/13/2008 Chuck Hagenbuch Comment #11
State ⇒ Resolved
Assigned to Chuck Hagenbuch		 Reply to this comment
This is fixed in CVS, and Horde 3.2.1 will be out with the fix presently.
06/13/2008 CVS Commit Comment #10 Reply to this comment
Changes have been made in CVS for this ticket:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.1108&r2=1.1109&ty=u
http://cvs.horde.org/diff.php/horde/services/obrowser/index.php?r1=1.18&r2=1.19&ty=u
06/13/2008 Chuck Hagenbuch Comment #9 Reply to this comment
no, i already moved it to the horde queue
06/13/2008 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #8 Reply to this comment
So could you remove this ticket, I will post a new one in the Horde 
Bugs topic.

Regards

06/13/2008 Chuck Hagenbuch Comment #7
Queue ⇒ Horde Base		 Reply to this comment
that's not even part of turba
06/13/2008 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #6 Reply to this comment
Indeed, the page add.php is not the issue, but the parameter 
'object[name]', saved in add.php page, is not sanitized in the page 
'/horde/services/obrowser/?path=turba/localsql'.


06/13/2008 Chuck Hagenbuch Comment #5 Reply to this comment
your initial report was misleading about where the vulnerability is 
(xss is a display problem, so add.php isn't the issue). we are 
currently investigating.
06/13/2008 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #4
New Attachment: xss.png Download		 Reply to this comment
1) I add a contact (page: '/horde/turba/add.php') with the name :   
Jean Dupont<script>alert('XMCO');</script>
http://img258.imageshack.us/img258/3708/formao0.png

2) I see my contact list (page: 
'/horde/services/obrowser/?path=turba/localsql:heremylogin')
and there is a XSS
http://img246.imageshack.us/img246/5604/xsswt6.png

So, if this security bug is fixed, which version is not vulnerable ?

Regards
06/12/2008 Chuck Hagenbuch Comment #3 Reply to this comment
Well, there was another problem, but not in add.php itself - are you 
saying the vulnerability you see is on the add form itself?
06/12/2008 Chuck Hagenbuch Comment #2
State ⇒ Feedback		 Reply to this comment
Yes, it is.
06/12/2008 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #1
Milestone ⇒
Queue ⇒ Turba
Due ⇒ 06/10/2008
Summary ⇒ The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Type ⇒ Bug
Priority ⇒ 2. Medium
State ⇒ Unconfirmed		 Reply to this comment
Hello,

I found a security hole in Turba H3 2.1.7
This is a Cross Site Scripting (XSS) vulnerability.
The parameter 'object[name]' is not sanitized in the page 
'/horde/turba/add.php'

POC:

<input type="text" name="object[name]" id="object[name]" size="40" 
value="<script>alert('XSS by Nicolas Kerschenbaum');</script>"   
maxlength="255" />



Could you tell me if this vulnerability is corrected in the last 
version of turba (2.2).

Regards

Nicolas Kerschenbaum