[#14213] Reflected Cross-Site Scripting (XSS)
Summary Reflected Cross-Site Scripting (XSS)
Queue Horde Base
Queue Version FRAMEWORK_5_2
Type Bug
State Resolved
Priority 3. High
Owners jan@horde.org
Requester duarteetraud@gmail.com
Created 2016-01-03 (1890 days ago)
Due
Updated 2017-10-20 (1234 days ago)
Assigned
Resolved 2016-01-06 (1887 days ago)
Milestone 5.2.9
Patch No

Comments
duarteetraud@gmail.com 2016-01-03 01:19:19
Hey guys,

I've found a XSS flaw on a gollem in Horde (5.2.5) application that's 
being used has a plugin in roundecube for file management, I only 
tried in prod.

[domain]xplorer/gollem/manager.php?searchfield=%22%22%3E%3Cscript/src=data:,alert(document.cookie)%2b%22&x=0&y=0

Variable: searchfield
The payload: ""><script/src=data:,alert(document.cookie)%2b" (With 
Chrome XSS-Auditor bypass)

Input validation in the search field should be enough to stop the attack.

I can post on the bug mailist if you want.

Thank You.

Git Commit <commits@lists.horde.org> 2016-01-06 10:47:16
Changes have been made in Git (FRAMEWORK_5_2):

commit ab07a1b447de34e13983b4d7ceb18b58c3a358d8
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |    2 ++
  horde/package.xml                        |    4 ++--
  horde/templates/topbar/_menubar.html.php |    2 +-
  3 files changed, 5 insertions(+), 3 deletions(-)

http://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8

Jan Schneider <jan@horde.org> 2016-01-06 10:48:26
Thanks for the report!
In the future please report to security@horde.org instead, or make the 
comments only readable for the Horde Developers group.

Git Commit <commits@lists.horde.org> 2016-01-06 11:56:58
Changes have been made in Git (master):

commit f03301cf6edcca57121a15e80014c4d0f29d99a0
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |   26 +++++++++++++++++++++++---
  horde/templates/topbar/_menubar.html.php |    2 +-
  2 files changed, 24 insertions(+), 4 deletions(-)

http://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0

math.parent@gmail.com 2016-02-03 12:48:46
Horde groupware and webmail bundles changelogs mention "Fixed XSS 
vulnerabilities in menu bar and form renderer.".

Is this this only commit, or are they others?

Thanks

NB: Asking this as the Debian packager, for Debian stable "jessie".

math.parent@gmail.com 2016-02-03 13:00:50
> Horde groupware and webmail bundles changelogs mention "Fixed XSS 
> vulnerabilities in menu bar and form renderer.".
>
> Is this this only commit, or are they others?

OK. Got it, it's "XSS in Horde_Core_VarRenderer_Html".

This is currently hard to dig thru the changelogs to get security 
patches. Why not using CVEs and traditionnal embargoed patches?

Git Commit <commits@lists.horde.org> 2017-10-20 20:33:42
Changes have been made in Git (FRAMEWORK_5_2):

commit 17a1ac38d6750d481784a56dedbcec685092cb41
Author: Jan Schneider <jan@horde.org>
Date:   Wed, 06 Jan 2016 11:47:03 +0100

[jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a 
few applications (Bug #14213).

  M docs/CHANGES
  M package.xml
  M templates/topbar/_menubar.html.php

https://github.com/horde/base/commit/17a1ac38d6750d481784a56dedbcec685092cb41