5.3.0-git
2014-11-23

[#9191] XSS Vulnerability
Summary XSS Vulnerability
Queue Gollem
Queue Version 1.1.1
Type Bug
State Resolved
Priority 3. High
Owners slusarz (at) horde (dot) org
Requester nightmare.lmw (at) anarchynet (dot) org
Created 2010-08-21 (1555 days ago)
Due
Updated 2010-08-24 (1552 days ago)
Assigned
Resolved 2010-08-24 (1552 days ago)
Milestone
Patch Yes

History
2010-08-24 18:38:26 Michael Slusarz Comment #3
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Git master fix:
http://lists.horde.org/archives/commits/2010-August/004747.html

This has been fixed in 1.1.2, although slightly different from your 
patch - we instead use the Horde::fatal() function which is the 
preferred way of reporting these kind of errors anyway.

Thank you for your report.
2010-08-21 14:20:21 nightmare (dot) lmw (at) anarchynet (dot) org Comment #1
State ⇒ Unconfirmed
New Attachment: view.php.patched Download
Patch ⇒ Yes
Milestone ⇒
Queue ⇒ Gollem
Summary ⇒ XSS Vulnerability
Type ⇒ Bug
Priority ⇒ 3. High
Reply to this comment
I have found a Cross Site Scripting vulnerability in Gollem,

Exploit : 
http://localhost/horde/gollem/view.php?actionID=view_file&type=txt&file=<script>alert("XSS")</script>&dir=../baddir/&driver=file

Vulnerable file : view.php (Line 32 - 46)

Vulnerable code :

if (is_callable(array($GLOBALS['gollem_vfs'], 'readStream'))) {
     $stream = $GLOBALS['gollem_vfs']->readStream($filedir, $filename);
     if (is_a($stream, 'PEAR_Error')) {
         Horde::logMessage($stream, __FILE__, __LINE__, PEAR_LOG_NOTICE);
         printf(_("Access denied to %s"), $filename);
         exit;
     }
} else {
     $data = $GLOBALS['gollem_vfs']->read($filedir, $filename);
     if (is_a($data, 'PEAR_Error')) {
         Horde::logMessage($data, __FILE__, __LINE__, PEAR_LOG_NOTICE);
         printf(_("Access denied to %s"), $filename);
         exit;
     }
}

I hope you fix the vulnerability asap. Patch in attachment.

Have a nice day.

Nicolas C. [NightMareLmW From DevSec]