The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php' Sat, 22 Nov 2008 09:54:25 -0500 http://bugs.horde.org/ticket/6906 The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php' Hello, I found a security hole in Turba H3 2.1.7 This is Hello, I found a security hole in Turba H3 2.1.7 This is a Cross Site Scripting (XSS) vulnerability. The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php' POC: <input type="text" name="object[name]" id="object[name]" size="40" value="<script>alert('XSS by Nicolas Kerschenbaum');</script>" maxlength="255" /> Could you tell me if this vulnerability is corrected in the last version of turba (2.2). Regards Nicolas Kerschenbaum Thu, 12 Jun 2008 12:28:54 -0400 http://bugs.horde.org/ticket/6906#t46330 Yes, it is. Yes, it is. Thu, 12 Jun 2008 13:01:50 -0400 http://bugs.horde.org/ticket/6906#t46333 Well, there was another problem, but not in add.php itself - Well, there was another problem, but not in add.php itself - are you saying the vulnerability you see is on the add form itself? Thu, 12 Jun 2008 14:24:58 -0400 http://bugs.horde.org/ticket/6906#t46336 1) I add a contact (page: '/horde/turba/add.php') with the n 1) I add a contact (page: '/horde/turba/add.php') with the name : Jean Dupont<script>alert('XMCO');</script> http://img258.imageshack.us/img258/3708/formao0.png 2) I see my contact list (page: '/horde/services/obrowser/?path=turba/localsql:heremylogin') and there is a XSS http://img246.imageshack.us/img246/5604/xsswt6.png So, if this security bug is fixed, which version is not vulnerable ? Regards Fri, 13 Jun 2008 04:59:58 -0400 http://bugs.horde.org/ticket/6906#t46389 your initial report was misleading about where the vulnerabi your initial report was misleading about where the vulnerability is (xss is a display problem, so add.php isn't the issue). we are currently investigating. Fri, 13 Jun 2008 10:58:12 -0400 http://bugs.horde.org/ticket/6906#t46408 Indeed, the page add.php is not the issue, but the parameter Indeed, the page add.php is not the issue, but the parameter 'object[name]', saved in add.php page, is not sanitized in the page '/horde/services/obrowser/?path=turba/localsql'. Fri, 13 Jun 2008 11:43:38 -0400 http://bugs.horde.org/ticket/6906#t46414 that's not even part of turba that's not even part of turba Fri, 13 Jun 2008 11:52:26 -0400 http://bugs.horde.org/ticket/6906#t46415 So could you remove this ticket, I will post a new one in th So could you remove this ticket, I will post a new one in the Horde Bugs topic. Regards Fri, 13 Jun 2008 11:57:39 -0400 http://bugs.horde.org/ticket/6906#t46416 no, i already moved it to the horde queue no, i already moved it to the horde queue Fri, 13 Jun 2008 12:12:11 -0400 http://bugs.horde.org/ticket/6906#t46428 Changes have been made in CVS for this ticket: http://cvs.h Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.1108&r2=1.1109&ty=u http://cvs.horde.org/diff.php/horde/services/obrowser/index.php?r1=1.18&r2=1.19&ty=u Fri, 13 Jun 2008 17:43:31 -0400 http://bugs.horde.org/ticket/6906#t46443 This is fixed in CVS, and Horde 3.2.1 will be out with the f This is fixed in CVS, and Horde 3.2.1 will be out with the fix presently. Fri, 13 Jun 2008 17:46:20 -0400 http://bugs.horde.org/ticket/6906#t46444