6.0.0-beta1
7/5/25

[#14213] Reflected Cross-Site Scripting (XSS)
Summary Reflected Cross-Site Scripting (XSS)
Queue Horde Base
Queue Version FRAMEWORK_5_2
Type Bug
State Resolved
Priority 3. High
Owners jan (at) horde (dot) org
Requester duarteetraud (at) gmail (dot) com
Created 01/03/2016 (3471 days ago)
Due
Updated 10/20/2017 (2815 days ago)
Assigned
Resolved 01/06/2016 (3468 days ago)
Github Issue Link
Github Pull Request
Milestone 5.2.9
Patch No

History
10/20/2017 08:33:42 PM Git Commit Comment #7 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit 17a1ac38d6750d481784a56dedbcec685092cb41
Author: Jan Schneider <jan@horde.org>
Date:   Wed, 06 Jan 2016 11:47:03 +0100

[jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a 
few applications (Bug #14213).

  M docs/CHANGES
  M package.xml
  M templates/topbar/_menubar.html.php

https://github.com/horde/base/commit/17a1ac38d6750d481784a56dedbcec685092cb41
02/03/2016 01:00:50 PM math (dot) parent (at) gmail (dot) com Comment #6 Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS 
vulnerabilities in menu bar and form renderer.".

Is this this only commit, or are they others?
OK. Got it, it's "XSS in Horde_Core_VarRenderer_Html".

This is currently hard to dig thru the changelogs to get security 
patches. Why not using CVEs and traditionnal embargoed patches?
02/03/2016 12:48:46 PM math (dot) parent (at) gmail (dot) com Comment #5 Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS 
vulnerabilities in menu bar and form renderer.".

Is this this only commit, or are they others?

Thanks

NB: Asking this as the Debian packager, for Debian stable "jessie".
01/06/2016 11:56:58 AM Git Commit Comment #4 Reply to this comment
Changes have been made in Git (master):

commit f03301cf6edcca57121a15e80014c4d0f29d99a0
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |   26 +++++++++++++++++++++++---
  horde/templates/topbar/_menubar.html.php |    2 +-
  2 files changed, 24 insertions(+), 4 deletions(-)

http://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0
01/06/2016 10:48:26 AM Jan Schneider Comment #3
Assigned to Jan Schneider
State ⇒ Resolved
Milestone ⇒ 5.2.9
Reply to this comment
Thanks for the report!
In the future please report to security@horde.org instead, or make the 
comments only readable for the Horde Developers group.
01/06/2016 10:47:16 AM Git Commit Comment #2 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit ab07a1b447de34e13983b4d7ceb18b58c3a358d8
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jan 6 11:46:35 2016 +0100

     [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only 
a few applications (Bug #14213).

  horde/docs/CHANGES                       |    2 ++
  horde/package.xml                        |    4 ++--
  horde/templates/topbar/_menubar.html.php |    2 +-
  3 files changed, 5 insertions(+), 3 deletions(-)

http://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8
01/06/2016 10:47:03 AM Jan Schneider Version ⇒ FRAMEWORK_5_2
Queue ⇒ Horde Base
 
01/03/2016 01:19:19 AM duarteetraud (at) gmail (dot) com Comment #1
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ Reflected Cross-Site Scripting (XSS)
Queue ⇒ Gollem
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
Reply to this comment
Hey guys,

I've found a XSS flaw on a gollem in Horde (5.2.5) application that's 
being used has a plugin in roundecube for file management, I only 
tried in prod.

[domain]xplorer/gollem/manager.php?searchfield=%22%22%3E%3Cscript/src=data:,alert(document.cookie)%2b%22&x=0&y=0

Variable: searchfield
The payload: 
""><!--a75c305b1c0a6022--><script/src=data:,alert(document.cookie)%2b" 
(With Chrome XSS-Auditor bypass)

Input validation in the search field should be enough to stop the attack.

I can post on the bug mailist if you want.

Thank You.

Saved Queries