6.0.0-git
2021-01-18

[#14213] Reflected Cross-Site Scripting (XSS)
Summary Reflected Cross-Site Scripting (XSS)
Queue Horde Base
Queue Version FRAMEWORK_5_2
Type Bug
State Resolved
Priority 3. High
Owners jan (at) horde (dot) org
Requester duarteetraud (at) gmail (dot) com
Created 2016-01-03 (1842 days ago)
Due
Updated 2017-10-20 (1186 days ago)
Assigned
Resolved 2016-01-06 (1839 days ago)
Milestone 5.2.9
Patch No

History
2017-10-20 20:33:42 Git Commit Comment #7 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit 17a1ac38d6750d481784a56dedbcec685092cb41
Author: Jan Schneider <jan@horde.org>
Date:   Wed, 06 Jan 2016 11:47:03 +0100

[jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a 
few applications (Bug #14213).

  M docs/CHANGES
  M package.xml
  M templates/topbar/_menubar.html.php

https://github.com/horde/base/commit/17a1ac38d6750d481784a56dedbcec685092cb41
2016-02-03 13:00:50 math (dot) parent (at) gmail (dot) com Comment #6 Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS 
vulnerabilities in menu bar and form renderer.".

Is this this only commit, or are they others?
OK. Got it, it's "XSS in Horde_Core_VarRenderer_Html".

This is currently hard to dig thru the changelogs to get security 
patches. Why not using CVEs and traditionnal embargoed patches?
2016-02-03 12:48:46 math (dot) parent (at) gmail (dot) com Comment #5 Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS 
vulnerabilities in menu bar and form renderer.".

Is this this only commit, or are they others?

Thanks

NB: Asking this as the Debian packager, for Debian stable "jessie".
2016-01-06 11:56:58 Git Commit Comment #4 Reply to this comment
Changes have been made in Git (master):

commit f03301cf6edcca57121a15e80014c4d0f29d99a0
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |   26 +++++++++++++++++++++++---
  horde/templates/topbar/_menubar.html.php |    2 +-
  2 files changed, 24 insertions(+), 4 deletions(-)

http://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0
2016-01-06 10:48:26 Jan Schneider Comment #3
Assigned to Jan Schneider
State ⇒ Resolved
Milestone ⇒ 5.2.9
Reply to this comment
Thanks for the report!
In the future please report to security@horde.org instead, or make the 
comments only readable for the Horde Developers group.
2016-01-06 10:47:16 Git Commit Comment #2 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit ab07a1b447de34e13983b4d7ceb18b58c3a358d8
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |    2 ++
  horde/package.xml                        |    4 ++--
  horde/templates/topbar/_menubar.html.php |    2 +-
  3 files changed, 5 insertions(+), 3 deletions(-)

http://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8
2016-01-06 10:47:03 Jan Schneider Version ⇒ FRAMEWORK_5_2
Queue ⇒ Horde Base
 
2016-01-03 01:19:19 duarteetraud (at) gmail (dot) com Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ Reflected Cross-Site Scripting (XSS)
Queue ⇒ Gollem
Milestone ⇒
Patch ⇒ No
Reply to this comment
Hey guys,

I've found a XSS flaw on a gollem in Horde (5.2.5) application that's 
being used has a plugin in roundecube for file management, I only 
tried in prod.

[domain]xplorer/gollem/manager.php?searchfield=%22%22%3E%3Cscript/src=data:,alert(document.cookie)%2b%22&x=0&y=0

Variable: searchfield
The payload: ""><script/src=data:,alert(document.cookie)%2b" (With 
Chrome XSS-Auditor bypass)

Input validation in the search field should be enough to stop the attack.

I can post on the bug mailist if you want.

Thank You.

Saved Queries