Tickets :: [#14857] Multiple XSS security vulnerabilities

6.0.0-beta1

7/4/25

Summary	Multiple XSS security vulnerabilities
Queue	Horde Groupware
Queue Version	5.2.22
Type	Bug
State	Resolved
Priority	3. High
Owners	mrubinsk (at) horde (dot) org
Requester	apo (at) debian (dot) org
Created	09/24/2018 (2475 days ago)
Due	09/24/2018 (2475 days ago)
Updated	01/06/2019 (2371 days ago)
Assigned	09/26/2018 (2473 days ago)
Resolved	09/28/2018 (2471 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

01/06/2019 10:48:02 PM	Git Commit	Comment #35	Reply to this comment
Changes have been made in Git (master): commit cb26695ae3295da10698f92e303a9b90f351fa58 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sun, 06 Jan 2019 17:47:55 -0500 [mjr] Prevent potential XSS vuln when rendering a colorpicker (~~Bug #14857~~). M doc/Horde/Core/changelog.yml https://github.com/horde/Core/commit/cb26695ae3295da10698f92e303a9b90f351fa58

10/09/2018 08:36:23 AM	Jan Schneider	Comment #34	Reply to this comment
Try again, you probably got on the fallback pear server, while the main server had temporarily been down.

10/07/2018 07:19:00 PM	math (dot) parent (at) gmail (dot) com	Comment #33	Reply to this comment
I don't see https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a in Horde_Core 2.31.3... 2.31.3 being the latest on pear.horde.org. 2.31.6 is the latest on Git...

10/07/2018 02:43:31 PM	math (dot) parent (at) gmail (dot) com	Comment #32	Reply to this comment
I don't see https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a in Horde_Core 2.31.3...

09/30/2018 09:27:12 PM	610code (at) gmail (dot) com	Comment #31 New Attachment: horde-sqli-false-positives.zip	Reply to this comment
RE I verified request-files for version .22 as well. In my opinion those 2 SQLi bugs (for all 3 versions mentioned) should be considered as false positives. For version .22 I was able to 'inject' some data but it was garbage. Below you'll find few screens. My post on code610 will now be updated. I will also ask MITRE to update information about this CVE. Thkank you for your time. Best regards, Cody (...) files attached below again; comment to delete; thank you

09/30/2018 08:56:22 PM	610code (at) gmail (dot) com	Comment #30 New Attachment: horde-2-requests.zip	Reply to this comment
(...) files attached below again; comment to delete; thank you

09/30/2018 08:53:09 PM	610code (at) gmail (dot) com	Comment #29	Reply to this comment
Hi, first of all, thanks for the ping via email. It was a busy week. ;) Second: I found copy/paste of requests I used (from Burp on the other VM). To use them: update your cookie for valid one (you can use Burp) because to exploit it you'll need to be an 'admin' anyway. Then, sqlmap should be good to reproduce (-r request.txt). As far as I remember 'display_errors' was enabled. One note to add: I tried those requests (with display_err to On and Off) for version 5.2.19 and .21 as well. I could not reproduce those 'steps' (for mentioned versions) this time - so it's a little surprise for me to be honest. ;) I did not yet check .22 version. As we spoke more privately: because we can not reproduce it now - it could be a false positive. But I think if it's just 'depend' on something we don't know now/yet - that is still worth to investigate (from the source code 'perspective'). If I can help - let me know. Thank you for your time. Best regards, Cody I have asked the original reporter of CVE-2017-17781 to clarify the steps which are needed to produce a SQL injection. If a consensus cannot be reached or if he does not reply to this issue again, I will ask MITRE to review CVE-2017-17781. They might then either reject the issue or mark it as disputed.

09/30/2018 12:57:08 PM	apo (at) debian (dot) org	Comment #28	Reply to this comment
I have asked the original reporter of CVE-2017-17781 to clarify the steps which are needed to produce a SQL injection. If a consensus cannot be reached or if he does not reply to this issue again, I will ask MITRE to review CVE-2017-17781. They might then either reject the issue or mark it as disputed.

09/28/2018 05:04:43 PM	Michael Rubinsky	Comment #27 State ⇒ Resolved	Reply to this comment
CVE-2017-17781 was published in another blog post. I missed it myself, sorry. https://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html As far as 17781 goes, I can't verify any sql injection vulns. I've been in contact with the reporter, but have received no information that suggests there are any sql injection vuln in the areas specified in CVE-2017-17781. I consider these issues closed.

09/27/2018 01:39:10 PM	apo (at) debian (dot) org	Comment #26	Reply to this comment
CVE-2017-17781 was published in another blog post. I missed it myself, sorry. https://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html

09/26/2018 05:44:21 PM	Michael Rubinsky	Comment #25 State ⇒ Assigned	Reply to this comment
[Show Quoted Text - 11 lines][Hide Quoted Text] These are all fixed, and released in horde/base horde/Core horde/Kronolith A release of the groupware bundles will be forthcoming. Thank you very much for fixing these issues. Would it be possible to document which commit fixed a specific CVE? That would allow me and others to easily reference the patches. Ah, right: CVE-2017-16906: https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d CVE-2017-16907: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 and https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 CVE-2017-16908: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 ...and now as I'm doing this, I see that the last CVE referenced in your original report wasn't talked about on that blog page, so I missed it. Let me review that one to see if it's still pertinent or not....

09/26/2018 04:43:01 PM	apo (at) debian (dot) org	Comment #24	Reply to this comment
These are all fixed, and released in horde/base horde/Core horde/Kronolith A release of the groupware bundles will be forthcoming. Thank you very much for fixing these issues. Would it be possible to document which commit fixed a specific CVE? That would allow me and others to easily reference the patches.

09/26/2018 01:31:53 PM	Michael Rubinsky	Comment #23 State ⇒ Resolved	Reply to this comment
These are all fixed, and released in horde/base horde/Core horde/Kronolith A release of the groupware bundles will be forthcoming.

09/26/2018 01:30:34 PM	Git Commit	Comment #22	Reply to this comment
Changes have been made in Git (master): commit e96c4029b98f0edd8cdb6ccc39c499ae2250f38a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:30:21 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (~~Bug #14857~~). M doc/changelog.yml https://github.com/horde/base/commit/e96c4029b98f0edd8cdb6ccc39c499ae2250f38a

09/26/2018 01:29:07 PM	Git Commit	Comment #21	Reply to this comment
Changes have been made in Git (master): commit 1e6c5e8eb53978916dbc5992507c170362a5f369 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:28:35 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (~~Bug #14857~~). M doc/changelog.yml https://github.com/horde/kronolith/commit/1e6c5e8eb53978916dbc5992507c170362a5f369

09/26/2018 01:27:27 PM	Git Commit	Comment #20	Reply to this comment
Changes have been made in Git (master): commit 67d72baf06a3451d053d2dc414c75f66503623bc Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:26:49 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (~~Bug #14857~~). M doc/changelog.yml https://github.com/horde/kronolith/commit/67d72baf06a3451d053d2dc414c75f66503623bc

09/26/2018 01:22:37 PM	Git Commit	Comment #19	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 8253ed9b43a2e7e9d9cf8cdb0b41b19af34ebbc3 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:57:28 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (~~Bug #14857~~). M docs/CHANGES M package.xml https://github.com/horde/base/commit/8253ed9b43a2e7e9d9cf8cdb0b41b19af34ebbc3

09/26/2018 01:22:36 PM	Git Commit	Comment #18	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 3cca562b1b2c074196304684c5263a657a34b826 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:57:28 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (~~Bug #14857~~). M docs/changelog.yml https://github.com/horde/base/commit/3cca562b1b2c074196304684c5263a657a34b826

09/26/2018 01:20:37 PM	Git Commit	Comment #17	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit b99a31396591e4e38e232870c50c3c3e619d58f7 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:13:43 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (~~Bug #14857~~). M docs/CHANGES M package.xml https://github.com/horde/kronolith/commit/b99a31396591e4e38e232870c50c3c3e619d58f7

09/26/2018 01:20:36 PM	Git Commit	Comment #16	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 6ae7be8d5043acb568a686dc7f77de749f6848e7 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:13:43 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (~~Bug #14857~~). M docs/changelog.yml https://github.com/horde/kronolith/commit/6ae7be8d5043acb568a686dc7f77de749f6848e7

09/26/2018 01:20:36 PM	Git Commit	Comment #15	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 83ecd2badfac5bc433cf33e8186a80c3f9eb8a51 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:10:09 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (~~Bug #14857~~). M docs/CHANGES M package.xml https://github.com/horde/kronolith/commit/83ecd2badfac5bc433cf33e8186a80c3f9eb8a51

09/26/2018 01:20:35 PM	Git Commit	Comment #14	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit b8a38e49de65f0f6e5d97554c1b00fa8aeda028c Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:10:09 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (~~Bug #14857~~). M docs/changelog.yml https://github.com/horde/kronolith/commit/b8a38e49de65f0f6e5d97554c1b00fa8aeda028c

09/26/2018 12:53:25 PM	Git Commit	Comment #13	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 96d17f32fe2bb3ee531d60736ec00aae81dfe480 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:32:49 -0400 [mjr] Prevent potential XSS vuln when rendering a colorpicker (~~Bug #14857~~). M doc/Horde/Core/CHANGES M package.xml https://github.com/horde/Core/commit/96d17f32fe2bb3ee531d60736ec00aae81dfe480

09/26/2018 12:53:24 PM	Git Commit	Comment #12	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit e88809517ada84e5dadf6da6d528539ea383d700 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:32:49 -0400 [mjr] Prevent potential XSS vuln when rendering a colorpicker (~~Bug #14857~~). M doc/Horde/Core/changelog.yml https://github.com/horde/Core/commit/e88809517ada84e5dadf6da6d528539ea383d700

09/26/2018 12:23:39 AM	Git Commit	Comment #11	Reply to this comment
Changes have been made in Git (master): commit 17bf57c1fe0e5febbef6efeed76cbd98b0422e85 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 20:23:33 -0400 ~~Bug: 14857~~ Escape user-provided resource name when outputting. Prevents XSS vuln. M js/kronolith.js https://github.com/horde/kronolith/commit/17bf57c1fe0e5febbef6efeed76cbd98b0422e85

09/26/2018 12:23:13 AM	Git Commit	Comment #10	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 39f740068ad21618f6f70b6e37855c61cadbd716 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 20:21:56 -0400 ~~Bug: 14857~~ Escape user-provided resource name when outputting. Prevents XSS vuln. M js/kronolith.js https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716

09/25/2018 07:56:11 PM	610code (at) gmail (dot) com	Comment #9 New Attachment: hordeBugFound3.jpg	Reply to this comment
Hi, first of all: I'm glad that you solved mentioned bugs. In case of 'informing' - I tried. :) Please see attached screen. In case of any questions - feel free to ask. I'll answer as soon as possible (probably during next 24h). Best regards, Cody Sixteen [Show Quoted Text - 19 lines][Hide Quoted Text] This is the first time that I'm seeing these, will investigate. Several security vulnerabilities were publicly disclosed. https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 and CVE-2017-17781. Are you aware of these issues? The bug reporter claims that they are still present in the latest stable release. If you have already fixed them, I would appreciate more information about the concrete fixes because Debian and other Linux distributions would like to fix those issues. Thanks in advance Markus Koschany (apo@debian.org)

09/25/2018 04:16:45 PM	Git Commit	Comment #8	Reply to this comment
Changes have been made in Git (master): commit 5aea995ec867b3ab1f2e34d586b840221932b439 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:16:39 -0400 ~~Bug: 14857~~ Prevent XSS in event's URL field. M lib/Event.php https://github.com/horde/kronolith/commit/5aea995ec867b3ab1f2e34d586b840221932b439

09/25/2018 04:16:15 PM	Git Commit	Comment #7	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 09d90141292f9ec516a7a2007bf828ce2bbdf60d Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:15:27 -0400 ~~Bug: 14857~~ Prevent XSS in event's URL field. M lib/Event.php https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d

09/25/2018 04:13:43 PM	Git Commit	Comment #6	Reply to this comment
Changes have been made in Git (master): commit dcad6626013cb000a94d77d07cd3933822424f4f Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:13:35 -0400 ~~Bug: 14857~~ Escape user supplied color data, preventing XSS vuln. M lib/View/Sidebar.php https://github.com/horde/base/commit/dcad6626013cb000a94d77d07cd3933822424f4f

09/25/2018 04:13:10 PM	Git Commit	Comment #5	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit fb2113bbcd04bd4a28c46aad0889fb0a3979a230 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:12:35 -0400 ~~Bug: 14857~~ Escape user supplied color data, preventing XSS vuln. M lib/View/Sidebar.php https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230

09/25/2018 04:11:58 PM	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit ecea6ea740419e19122a50579ba2903c1cb71d7a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:11:51 -0400 ~~Bug: 14857~~ Escape user supplied $color value and prevent XSS vuln. M lib/Horde/Core/Ui/VarRenderer/Html.php https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a

09/25/2018 04:11:27 PM	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git (master): commit da2342594b749f1f88747cbb11ecfdc188f64a85 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:10:39 -0400 ~~Bug: 14857~~ Escape user supplied $color value and prevent XSS vuln. M lib/Horde/Core/Ui/VarRenderer/Html.php https://github.com/horde/Core/commit/da2342594b749f1f88747cbb11ecfdc188f64a85

09/25/2018 12:46:35 PM	Michael Rubinsky	Assigned to Michael Rubinsky State ⇒ Assigned

09/24/2018 05:49:29 PM	Michael Rubinsky	Comment #2	Reply to this comment
This is the first time that I'm seeing these, will investigate. [Show Quoted Text - 16 lines][Hide Quoted Text] Several security vulnerabilities were publicly disclosed. https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 and CVE-2017-17781. Are you aware of these issues? The bug reporter claims that they are still present in the latest stable release. If you have already fixed them, I would appreciate more information about the concrete fixes because Debian and other Linux distributions would like to fix those issues. Thanks in advance Markus Koschany (apo@debian.org)

09/24/2018 12:18:40 PM	apo (at) debian (dot) org	Comment #1 Priority ⇒ 3. High State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Queue ⇒ Horde Groupware Type ⇒ Bug Due ⇒ 09/24/2018 Summary ⇒ Multiple XSS security vulnerabilities	Reply to this comment
Several security vulnerabilities were publicly disclosed. https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 and CVE-2017-17781. Are you aware of these issues? The bug reporter claims that they are still present in the latest stable release. If you have already fixed them, I would appreciate more information about the concrete fixes because Debian and other Linux distributions would like to fix those issues. Thanks in advance Markus Koschany (apo@debian.org)