Summary | No validation of data in function getFormData resulit in XSS vulnerability |
Queue | Horde Base |
Queue Version | 2.2.8 |
Type | Bug |
State | Resolved |
Priority | 2. Medium |
Owners | Horde Developers (at) |
Requester | chuanwee (at) gmail (dot) com |
Created | 10/23/2005 (7169 days ago) |
Due | |
Updated | 11/13/2005 (7148 days ago) |
Assigned | 10/27/2005 (7165 days ago) |
Resolved | 11/13/2005 (7148 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
State ⇒ Resolved
Assigned to
State ⇒ Assigned
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ No validation of data in function getFormData resulit in XSS vulnerability
Queue ⇒ Horde Base
data hence creating a cross-site scripting vulnerability.
By calling http://mail/css.php/css.php?app=...... this cause the
input data to be send back to the user's browser in lib/Registry.php
function applicationFilePath
when the app is not found.
Horde::fatal(new PEAR_Error(sprintf(_("'%s' is not configured in the
Horde Registry."), $app)), __FILE__, __LINE__);
A temporary workaround to remove '%s' works for me. Hope there is a
more thorough solution.
cheers.
ChuanWee