6.0.0-git
2021-12-09

[#6906] The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Summary The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Queue Horde Base
Queue Version 3.2
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester nicolas.kerschenbaum (at) xmcopartners (dot) com
Created 2008-06-12 (4928 days ago)
Due 06/10/2008 (4930 days ago)
Updated 2008-06-13 (4927 days ago)
Assigned 2008-06-12 (4928 days ago)
Resolved 2008-06-13 (4927 days ago)
Milestone
Patch No

History
2008-06-13 21:46:20 Chuck Hagenbuch Comment #11
Assigned to Chuck Hagenbuch
State ⇒ Resolved
Reply to this comment
This is fixed in CVS, and Horde 3.2.1 will be out with the fix presently.
2008-06-13 16:12:11 Chuck Hagenbuch Comment #9 Reply to this comment
no, i already moved it to the horde queue
2008-06-13 15:57:39 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #8 Reply to this comment
So could you remove this ticket, I will post a new one in the Horde 
Bugs topic.



Regards


2008-06-13 15:52:26 Chuck Hagenbuch Comment #7
Version ⇒ 3.2
Queue ⇒ Horde Base
Reply to this comment
that's not even part of turba
2008-06-13 15:43:38 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #6 Reply to this comment
Indeed, the page add.php is not the issue, but the parameter 
'object[name]', saved in add.php page, is not sanitized in the page 
'/horde/services/obrowser/?path=turba/localsql'.




2008-06-13 14:58:12 Chuck Hagenbuch Comment #5 Reply to this comment
your initial report was misleading about where the vulnerability is 
(xss is a display problem, so add.php isn't the issue). we are 
currently investigating.
2008-06-13 08:59:58 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #4
New Attachment: xss.png Download
Reply to this comment
1) I add a contact (page: '/horde/turba/add.php') with the name :   
Jean Dupont<script>alert('XMCO');</script>

http://img258.imageshack.us/img258/3708/formao0.png



2) I see my contact list (page: 
'/horde/services/obrowser/?path=turba/localsql:heremylogin')

and there is a XSS

http://img246.imageshack.us/img246/5604/xsswt6.png



So, if this security bug is fixed, which version is not vulnerable ?



Regards
2008-06-12 18:24:58 Chuck Hagenbuch Comment #3 Reply to this comment
Well, there was another problem, but not in add.php itself - are you 
saying the vulnerability you see is on the add form itself?
2008-06-12 17:01:50 Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
Yes, it is.
2008-06-12 16:28:54 nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Due ⇒ 2008-06-10
Queue ⇒ Turba
Milestone ⇒
Reply to this comment
Hello,



I found a security hole in Turba H3 2.1.7

This is a Cross Site Scripting (XSS) vulnerability.

The parameter 'object[name]' is not sanitized in the page 
'/horde/turba/add.php'



POC:



<input type="text" name="object[name]" id="object[name]" size="40" 
value="<script>alert('XSS by Nicolas Kerschenbaum');</script>"   
maxlength="255" />







Could you tell me if this vulnerability is corrected in the last 
version of turba (2.2).



Regards



Nicolas Kerschenbaum

Saved Queries