6.0.0-git
2021-01-24

[#6906] The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Summary The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Queue Horde Base
Queue Version 3.2
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester nicolas.kerschenbaum (at) xmcopartners (dot) com
Created 2008-06-12 (4609 days ago)
Due 06/10/2008 (4611 days ago)
Updated 2008-06-13 (4608 days ago)
Assigned 2008-06-12 (4609 days ago)
Resolved 2008-06-13 (4608 days ago)
Milestone
Patch No

History
2008-06-13 21:46:20 Chuck Hagenbuch Comment #11
Assigned to Chuck Hagenbuch
State ⇒ Resolved		 Reply to this comment
This is fixed in CVS, and Horde 3.2.1 will be out with the fix presently.
2008-06-13 16:12:11 Chuck Hagenbuch Comment #9 Reply to this comment
no, i already moved it to the horde queue
2008-06-13 15:57:39 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #8 Reply to this comment
So could you remove this ticket, I will post a new one in the Horde 
Bugs topic.



Regards


2008-06-13 15:52:26 Chuck Hagenbuch Comment #7
Version ⇒ 3.2
Queue ⇒ Horde Base		 Reply to this comment
that's not even part of turba
2008-06-13 15:43:38 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #6 Reply to this comment
Indeed, the page add.php is not the issue, but the parameter 
'object[name]', saved in add.php page, is not sanitized in the page 
'/horde/services/obrowser/?path=turba/localsql'.




2008-06-13 14:58:12 Chuck Hagenbuch Comment #5 Reply to this comment
your initial report was misleading about where the vulnerability is 
(xss is a display problem, so add.php isn't the issue). we are 
currently investigating.
2008-06-13 08:59:58 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #4
New Attachment: xss.png Download		 Reply to this comment
1) I add a contact (page: '/horde/turba/add.php') with the name :   
Jean Dupont<script>alert('XMCO');</script>

http://img258.imageshack.us/img258/3708/formao0.png



2) I see my contact list (page: 
'/horde/services/obrowser/?path=turba/localsql:heremylogin')

and there is a XSS

http://img246.imageshack.us/img246/5604/xsswt6.png



So, if this security bug is fixed, which version is not vulnerable ?



Regards
2008-06-12 18:24:58 Chuck Hagenbuch Comment #3 Reply to this comment
Well, there was another problem, but not in add.php itself - are you 
saying the vulnerability you see is on the add form itself?
2008-06-12 17:01:50 Chuck Hagenbuch Comment #2
State ⇒ Feedback		 Reply to this comment
Yes, it is.
2008-06-12 16:28:54 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Due ⇒ 2008-06-10
Queue ⇒ Turba
Milestone ⇒ 		Reply to this comment
Hello,



I found a security hole in Turba H3 2.1.7

This is a Cross Site Scripting (XSS) vulnerability.

The parameter 'object[name]' is not sanitized in the page 
'/horde/turba/add.php'



POC:



<input type="text" name="object[name]" id="object[name]" size="40" 
value="<script>alert('XSS by Nicolas Kerschenbaum');</script>"   
maxlength="255" />







Could you tell me if this vulnerability is corrected in the last 
version of turba (2.2).



Regards



Nicolas Kerschenbaum
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers