Tickets :: [#14213] Reflected Cross-Site Scripting (XSS)

6.0.0-git

2021-01-18

Summary	Reflected Cross-Site Scripting (XSS)
Queue	Horde Base
Queue Version	FRAMEWORK_5_2
Type	Bug
State	Resolved
Priority	3. High
Owners	jan (at) horde (dot) org
Requester	duarteetraud (at) gmail (dot) com
Created	2016-01-03 (1842 days ago)
Due
Updated	2017-10-20 (1186 days ago)
Assigned
Resolved	2016-01-06 (1839 days ago)
Milestone	5.2.9
Patch	No

2017-10-20 20:33:42	Git Commit	Comment #7	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 17a1ac38d6750d481784a56dedbcec685092cb41 Author: Jan Schneider <jan@horde.org> Date: Wed, 06 Jan 2016 11:47:03 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). M docs/CHANGES M package.xml M templates/topbar/_menubar.html.php https://github.com/horde/base/commit/17a1ac38d6750d481784a56dedbcec685092cb41

2016-02-03 13:00:50	math (dot) parent (at) gmail (dot) com	Comment #6	Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS vulnerabilities in menu bar and form renderer.". Is this this only commit, or are they others? OK. Got it, it's "XSS in Horde_Core_VarRenderer_Html". This is currently hard to dig thru the changelogs to get security patches. Why not using CVEs and traditionnal embargoed patches?

2016-02-03 12:48:46	math (dot) parent (at) gmail (dot) com	Comment #5	Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS vulnerabilities in menu bar and form renderer.". Is this this only commit, or are they others? Thanks NB: Asking this as the Debian packager, for Debian stable "jessie".

2016-01-06 11:56:58	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git (master): commit f03301cf6edcca57121a15e80014c4d0f29d99a0 Author: Jan Schneider <jan@horde.org> Date: Wed Jan 6 11:46:35 2016 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). horde/docs/CHANGES \| 26 +++++++++++++++++++++++--- horde/templates/topbar/_menubar.html.php \| 2 +- 2 files changed, 24 insertions(+), 4 deletions(-) http://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0

2016-01-06 10:48:26	Jan Schneider	Comment #3 Assigned to Jan Schneider State ⇒ Resolved Milestone ⇒ 5.2.9	Reply to this comment
Thanks for the report! In the future please report to security@horde.org instead, or make the comments only readable for the Horde Developers group.

2016-01-06 10:47:16	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit ab07a1b447de34e13983b4d7ceb18b58c3a358d8 Author: Jan Schneider <jan@horde.org> Date: Wed Jan 6 11:46:35 2016 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). horde/docs/CHANGES \| 2 ++ horde/package.xml \| 4 ++-- horde/templates/topbar/_menubar.html.php \| 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) http://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8

2016-01-06 10:47:03	Jan Schneider	Version ⇒ FRAMEWORK_5_2 Queue ⇒ Horde Base

2016-01-03 01:19:19	duarteetraud (at) gmail (dot) com	Comment #1 Type ⇒ Bug State ⇒ Unconfirmed Priority ⇒ 3. High Summary ⇒ Reflected Cross-Site Scripting (XSS) Queue ⇒ Gollem Milestone ⇒ Patch ⇒ No	Reply to this comment
Hey guys, I've found a XSS flaw on a gollem in Horde (5.2.5) application that's being used has a plugin in roundecube for file management, I only tried in prod. [domain]xplorer/gollem/manager.php?searchfield=%22%22%3E%3Cscript/src=data:,alert(document.cookie)%2b%22&x=0&y=0 Variable: searchfield The payload: ""><script/src=data:,alert(document.cookie)%2b" (With Chrome XSS-Auditor bypass) Input validation in the search field should be enough to stop the attack. I can post on the bug mailist if you want. Thank You.