Sat, 04 Apr 2026 11:59:44 +0000 https://bugs.horde.org/ticket/14857 Multiple XSS security vulnerabilities Several security vulnerabilities were publicly disclosed. https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 and CVE-2017-17781. Are you aware of these issues? The bug reporter claims that they are still present in the latest stable release. If you have already fixed them, I would appreciate more information about the concrete fixes because Debian and other Linux distributions would like to fix those issues. Thanks in advance Markus Koschany (apo@debian.org) Mon, 24 Sep 2018 12:18:40 +0000 https://bugs.horde.org/ticket/14857#t93043 This is the first time that I'm seeing these, will investigate. > Several security vulnerabilities were publicly disclosed. > > https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html > > They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 > and CVE-2017-17781. > > Are you aware of these issues? The bug reporter claims that they are > still present in the latest stable release. If you have already fixed > them, I would appreciate more information about the concrete fixes > because Debian and other Linux distributions would like to fix those > issues. > > Thanks in advance > > Markus Koschany (apo@debian.org) Mon, 24 Sep 2018 17:49:29 +0000 https://bugs.horde.org/ticket/14857#t93044 Changes have been made in Git (master): commit da2342594b749f1f88747cbb11ecfdc188f64a85 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:10:39 -0400 Bug: 14857 Escape user supplied $color value and prevent XSS vuln. M lib/Horde/Core/Ui/VarRenderer/Html.php https://github.com/horde/Core/commit/da2342594b749f1f88747cbb11ecfdc188f64a85 Tue, 25 Sep 2018 16:11:27 +0000 https://bugs.horde.org/ticket/14857#t93047 Changes have been made in Git (FRAMEWORK_5_2): commit ecea6ea740419e19122a50579ba2903c1cb71d7a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:11:51 -0400 Bug: 14857 Escape user supplied $color value and prevent XSS vuln. M lib/Horde/Core/Ui/VarRenderer/Html.php https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a Tue, 25 Sep 2018 16:11:58 +0000 https://bugs.horde.org/ticket/14857#t93048 Changes have been made in Git (FRAMEWORK_5_2): commit fb2113bbcd04bd4a28c46aad0889fb0a3979a230 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:12:35 -0400 Bug: 14857 Escape user supplied color data, preventing XSS vuln. M lib/View/Sidebar.php https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 Tue, 25 Sep 2018 16:13:10 +0000 https://bugs.horde.org/ticket/14857#t93049 Changes have been made in Git (master): commit dcad6626013cb000a94d77d07cd3933822424f4f Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:13:35 -0400 Bug: 14857 Escape user supplied color data, preventing XSS vuln. M lib/View/Sidebar.php https://github.com/horde/base/commit/dcad6626013cb000a94d77d07cd3933822424f4f Tue, 25 Sep 2018 16:13:43 +0000 https://bugs.horde.org/ticket/14857#t93050 Changes have been made in Git (FRAMEWORK_5_2): commit 09d90141292f9ec516a7a2007bf828ce2bbdf60d Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:15:27 -0400 Bug: 14857 Prevent XSS in event's URL field. M lib/Event.php https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d Tue, 25 Sep 2018 16:16:15 +0000 https://bugs.horde.org/ticket/14857#t93051 Changes have been made in Git (master): commit 5aea995ec867b3ab1f2e34d586b840221932b439 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 12:16:39 -0400 Bug: 14857 Prevent XSS in event's URL field. M lib/Event.php https://github.com/horde/kronolith/commit/5aea995ec867b3ab1f2e34d586b840221932b439 Tue, 25 Sep 2018 16:16:45 +0000 https://bugs.horde.org/ticket/14857#t93052 Hi, first of all: I'm glad that you solved mentioned bugs. In case of 'informing' - I tried. :) Please see attached screen. In case of any questions - feel free to ask. I'll answer as soon as possible (probably during next 24h). Best regards, Cody Sixteen > This is the first time that I'm seeing these, will investigate. > >> Several security vulnerabilities were publicly disclosed. >> >> https://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html >> >> They are also known as CVE-2017-16906, CVE-2017-16907, CVE-2017-16908 >> and CVE-2017-17781. >> >> Are you aware of these issues? The bug reporter claims that they are >> still present in the latest stable release. If you have already fixed >> them, I would appreciate more information about the concrete fixes >> because Debian and other Linux distributions would like to fix those >> issues. >> >> Thanks in advance >> >> Markus Koschany (apo@debian.org) > Tue, 25 Sep 2018 19:56:11 +0000 https://bugs.horde.org/ticket/14857#t93053 Changes have been made in Git (FRAMEWORK_5_2): commit 39f740068ad21618f6f70b6e37855c61cadbd716 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 20:21:56 -0400 Bug: 14857 Escape user-provided resource name when outputting. Prevents XSS vuln. M js/kronolith.js https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 Wed, 26 Sep 2018 00:23:13 +0000 https://bugs.horde.org/ticket/14857#t93054 Changes have been made in Git (master): commit 17bf57c1fe0e5febbef6efeed76cbd98b0422e85 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Tue, 25 Sep 2018 20:23:33 -0400 Bug: 14857 Escape user-provided resource name when outputting. Prevents XSS vuln. M js/kronolith.js https://github.com/horde/kronolith/commit/17bf57c1fe0e5febbef6efeed76cbd98b0422e85 Wed, 26 Sep 2018 00:23:39 +0000 https://bugs.horde.org/ticket/14857#t93055 Changes have been made in Git (FRAMEWORK_5_2): commit e88809517ada84e5dadf6da6d528539ea383d700 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:32:49 -0400 [mjr] Prevent potential XSS vuln when rendering a colorpicker (Bug #14857). M doc/Horde/Core/changelog.yml https://github.com/horde/Core/commit/e88809517ada84e5dadf6da6d528539ea383d700 Wed, 26 Sep 2018 12:53:24 +0000 https://bugs.horde.org/ticket/14857#t93061 Changes have been made in Git (FRAMEWORK_5_2): commit 96d17f32fe2bb3ee531d60736ec00aae81dfe480 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:32:49 -0400 [mjr] Prevent potential XSS vuln when rendering a colorpicker (Bug #14857). M doc/Horde/Core/CHANGES M package.xml https://github.com/horde/Core/commit/96d17f32fe2bb3ee531d60736ec00aae81dfe480 Wed, 26 Sep 2018 12:53:25 +0000 https://bugs.horde.org/ticket/14857#t93062 Changes have been made in Git (FRAMEWORK_5_2): commit b8a38e49de65f0f6e5d97554c1b00fa8aeda028c Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:10:09 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (Bug #14857). M docs/changelog.yml https://github.com/horde/kronolith/commit/b8a38e49de65f0f6e5d97554c1b00fa8aeda028c Wed, 26 Sep 2018 13:20:35 +0000 https://bugs.horde.org/ticket/14857#t93063 Changes have been made in Git (FRAMEWORK_5_2): commit 83ecd2badfac5bc433cf33e8186a80c3f9eb8a51 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:10:09 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (Bug #14857). M docs/CHANGES M package.xml https://github.com/horde/kronolith/commit/83ecd2badfac5bc433cf33e8186a80c3f9eb8a51 Wed, 26 Sep 2018 13:20:36 +0000 https://bugs.horde.org/ticket/14857#t93064 Changes have been made in Git (FRAMEWORK_5_2): commit 6ae7be8d5043acb568a686dc7f77de749f6848e7 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:13:43 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (Bug #14857). M docs/changelog.yml https://github.com/horde/kronolith/commit/6ae7be8d5043acb568a686dc7f77de749f6848e7 Wed, 26 Sep 2018 13:20:36 +0000 https://bugs.horde.org/ticket/14857#t93065 Changes have been made in Git (FRAMEWORK_5_2): commit b99a31396591e4e38e232870c50c3c3e619d58f7 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:13:43 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (Bug #14857). M docs/CHANGES M package.xml https://github.com/horde/kronolith/commit/b99a31396591e4e38e232870c50c3c3e619d58f7 Wed, 26 Sep 2018 13:20:37 +0000 https://bugs.horde.org/ticket/14857#t93066 Changes have been made in Git (FRAMEWORK_5_2): commit 3cca562b1b2c074196304684c5263a657a34b826 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:57:28 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (Bug #14857). M docs/changelog.yml https://github.com/horde/base/commit/3cca562b1b2c074196304684c5263a657a34b826 Wed, 26 Sep 2018 13:22:36 +0000 https://bugs.horde.org/ticket/14857#t93067 Changes have been made in Git (FRAMEWORK_5_2): commit 8253ed9b43a2e7e9d9cf8cdb0b41b19af34ebbc3 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 08:57:28 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (Bug #14857). M docs/CHANGES M package.xml https://github.com/horde/base/commit/8253ed9b43a2e7e9d9cf8cdb0b41b19af34ebbc3 Wed, 26 Sep 2018 13:22:37 +0000 https://bugs.horde.org/ticket/14857#t93068 Changes have been made in Git (master): commit 67d72baf06a3451d053d2dc414c75f66503623bc Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:26:49 -0400 [mjr] SECURITY: Fix XSS vulnerability in event URL field (Bug #14857). M doc/changelog.yml https://github.com/horde/kronolith/commit/67d72baf06a3451d053d2dc414c75f66503623bc Wed, 26 Sep 2018 13:27:27 +0000 https://bugs.horde.org/ticket/14857#t93069 Changes have been made in Git (master): commit 1e6c5e8eb53978916dbc5992507c170362a5f369 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:28:35 -0400 [mjr] SECURITY: Fix XSS vulnerability in resource group property view (Bug #14857). M doc/changelog.yml https://github.com/horde/kronolith/commit/1e6c5e8eb53978916dbc5992507c170362a5f369 Wed, 26 Sep 2018 13:29:07 +0000 https://bugs.horde.org/ticket/14857#t93070 Changes have been made in Git (master): commit e96c4029b98f0edd8cdb6ccc39c499ae2250f38a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed, 26 Sep 2018 09:30:21 -0400 [mjr] SECURITY: Fix XSS vulnerability when rendering custom background colors in a sidebar row (Bug #14857). M doc/changelog.yml https://github.com/horde/base/commit/e96c4029b98f0edd8cdb6ccc39c499ae2250f38a Wed, 26 Sep 2018 13:30:34 +0000 https://bugs.horde.org/ticket/14857#t93071 These are all fixed, and released in horde/base horde/Core horde/Kronolith A release of the groupware bundles will be forthcoming. Wed, 26 Sep 2018 13:31:53 +0000 https://bugs.horde.org/ticket/14857#t93072 > These are all fixed, and released in > > horde/base > horde/Core > horde/Kronolith > > A release of the groupware bundles will be forthcoming. Thank you very much for fixing these issues. Would it be possible to document which commit fixed a specific CVE? That would allow me and others to easily reference the patches. Wed, 26 Sep 2018 16:43:01 +0000 https://bugs.horde.org/ticket/14857#t93077 >> These are all fixed, and released in >> >> horde/base >> horde/Core >> horde/Kronolith >> >> A release of the groupware bundles will be forthcoming. > > Thank you very much for fixing these issues. Would it be possible to > document which commit fixed a specific CVE? That would allow me and > others to easily reference the patches. Ah, right: CVE-2017-16906: https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d CVE-2017-16907: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 and https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 CVE-2017-16908: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 ...and now as I'm doing this, I see that the last CVE referenced in your original report wasn't talked about on that blog page, so I missed it. Let me review that one to see if it's still pertinent or not.... Wed, 26 Sep 2018 17:44:21 +0000 https://bugs.horde.org/ticket/14857#t93082 CVE-2017-17781 was published in another blog post. I missed it myself, sorry. https://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html Thu, 27 Sep 2018 13:39:10 +0000 https://bugs.horde.org/ticket/14857#t93090 > CVE-2017-17781 was published in another blog post. I missed it myself, sorry. > > https://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html As far as 17781 goes, I can't verify any sql injection vulns. I've been in contact with the reporter, but have received no information that suggests there are any sql injection vuln in the areas specified in CVE-2017-17781. I consider these issues closed. Fri, 28 Sep 2018 17:04:43 +0000 https://bugs.horde.org/ticket/14857#t93092 I have asked the original reporter of CVE-2017-17781 to clarify the steps which are needed to produce a SQL injection. If a consensus cannot be reached or if he does not reply to this issue again, I will ask MITRE to review CVE-2017-17781. They might then either reject the issue or mark it as disputed. Sun, 30 Sep 2018 12:57:08 +0000 https://bugs.horde.org/ticket/14857#t93095 Hi, first of all, thanks for the ping via email. It was a busy week. ;) Second: I found copy/paste of requests I used (from Burp on the other VM). To use them: update your cookie for valid one (you can use Burp) because to exploit it you'll need to be an 'admin' anyway. Then, sqlmap should be good to reproduce (-r request.txt). As far as I remember 'display_errors' was enabled. One note to add: I tried those requests (with display_err to On and Off) for version 5.2.19 and .21 as well. I could not reproduce those 'steps' (for mentioned versions) this time - so it's a little surprise for me to be honest. ;) I did not yet check .22 version. As we spoke more privately: because we can not reproduce it now - it could be a false positive. But I think if it's just 'depend' on something we don't know now/yet - that is still worth to investigate (from the source code 'perspective'). If I can help - let me know. Thank you for your time. Best regards, Cody > I have asked the original reporter of CVE-2017-17781 to clarify the > steps which are needed to produce a SQL injection. If a consensus > cannot be reached or if he does not reply to this issue again, I will > ask MITRE to review CVE-2017-17781. They might then either reject the > issue or mark it as disputed. Sun, 30 Sep 2018 20:53:09 +0000 https://bugs.horde.org/ticket/14857#t93096 (...) files attached below again; comment to delete; thank you Sun, 30 Sep 2018 20:56:22 +0000 https://bugs.horde.org/ticket/14857#t93097 RE I verified request-files for version .22 as well. In my opinion those 2 SQLi bugs (for all 3 versions mentioned) should be considered as false positives. For version .22 I was able to 'inject' some data but it was garbage. Below you'll find few screens. My post on code610 will now be updated. I will also ask MITRE to update information about this CVE. Thkank you for your time. Best regards, Cody > (...) files attached below again; comment to delete; thank you Sun, 30 Sep 2018 21:27:12 +0000 https://bugs.horde.org/ticket/14857#t93098 I don't see https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a in Horde_Core 2.31.3... Sun, 07 Oct 2018 14:43:31 +0000 https://bugs.horde.org/ticket/14857#t93107 > I don't see > https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a in Horde_Core > 2.31.3... 2.31.3 being the latest on pear.horde.org. 2.31.6 is the latest on Git... Sun, 07 Oct 2018 19:19:00 +0000 https://bugs.horde.org/ticket/14857#t93108 Try again, you probably got on the fallback pear server, while the main server had temporarily been down. Tue, 09 Oct 2018 08:36:23 +0000 https://bugs.horde.org/ticket/14857#t93109 Changes have been made in Git (master): commit cb26695ae3295da10698f92e303a9b90f351fa58 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sun, 06 Jan 2019 17:47:55 -0500 [mjr] Prevent potential XSS vuln when rendering a colorpicker (Bug #14857). M doc/Horde/Core/changelog.yml https://github.com/horde/Core/commit/cb26695ae3295da10698f92e303a9b90f351fa58 Sun, 06 Jan 2019 22:48:02 +0000 https://bugs.horde.org/ticket/14857#t93201