Tickets :: [#3523] login page cross site scripting vulnarable

6.0.0-beta1

7/29/25

Summary	login page cross site scripting vulnarable
Queue	Horde Framework Packages
Queue Version	FRAMEWORK_3
Type	Bug
State	Resolved
Priority	2. Medium
Owners
Requester	info (at) friethoff (dot) com
Created	02/22/2006 (7097 days ago)
Due
Updated	02/22/2006 (7097 days ago)
Assigned	02/22/2006 (7097 days ago)
Resolved	02/22/2006 (7097 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

02/22/2006 08:18:52 PM	info (at) friethoff (dot) com	Comment #5	Reply to this comment
Ok, great. I agree it does not justify a .10 release. Cheers. E.

02/22/2006 05:00:04 PM	Chuck Hagenbuch	Comment #4 State ⇒ Resolved	Reply to this comment
Fixed now in CVS and FW_3. Because this doesn't affect authenticated sessions I'm not inclined to release 3.0.10 just for it. It'll be in 3.1.0 when that is released.

02/22/2006 01:17:36 PM	info (at) friethoff (dot) com	Comment #3	Reply to this comment
I can't reproduce this. Where and when exactly do you see the image? when you put the following line in the username and in the password box: "><img src="http://www.google.nl/logos/olympics06_alpine.gif"> including all " and > the image will appear on the site i'm using horde 3.09 and the default login page

02/22/2006 01:07:53 PM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
I can't reproduce this. Where and when exactly do you see the image?

02/22/2006 12:44:29 PM	info (at) friethoff (dot) com	Comment #1 State ⇒ Unconfirmed Priority ⇒ 2. Medium Type ⇒ Bug Summary ⇒ login page cross site scripting vulnarable Queue ⇒ Horde Framework Packages	Reply to this comment
login page has an xss vulnarability. When userame is "><img src="http://www.google.nl/logos/olympics06_alpine.gif"> and password is "><img src="http://www.google.nl/logos/olympics06_alpine.gif"> the image of google will be loaded.