6.0.0-beta1
7/6/25

[#6906] The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Summary The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Queue Horde Base
Queue Version 3.2
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester nicolas.kerschenbaum (at) xmcopartners (dot) com
Created 06/12/2008 (6233 days ago)
Due 06/10/2008 (6235 days ago)
Updated 06/13/2008 (6232 days ago)
Assigned 06/12/2008 (6233 days ago)
Resolved 06/13/2008 (6232 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
06/13/2008 09:46:20 PM Chuck Hagenbuch Comment #11
Assigned to Chuck Hagenbuch
State ⇒ Resolved		 Reply to this comment
This is fixed in CVS, and Horde 3.2.1 will be out with the fix presently.
06/13/2008 04:12:11 PM Chuck Hagenbuch Comment #9 Reply to this comment
no, i already moved it to the horde queue
06/13/2008 03:57:39 PM nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #8 Reply to this comment
So could you remove this ticket, I will post a new one in the Horde 
Bugs topic.



Regards


06/13/2008 03:52:26 PM Chuck Hagenbuch Comment #7
Version ⇒ 3.2
Queue ⇒ Horde Base		 Reply to this comment
that's not even part of turba
06/13/2008 03:43:38 PM nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #6 Reply to this comment
Indeed, the page add.php is not the issue, but the parameter 
'object[name]', saved in add.php page, is not sanitized in the page 
'/horde/services/obrowser/?path=turba/localsql'.




06/13/2008 02:58:12 PM Chuck Hagenbuch Comment #5 Reply to this comment
your initial report was misleading about where the vulnerability is 
(xss is a display problem, so add.php isn't the issue). we are 
currently investigating.
06/13/2008 08:59:58 AM nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #4
New Attachment: xss.png Download		 Reply to this comment
1) I add a contact (page: '/horde/turba/add.php') with the name :   
Jean Dupont<!--a75c305b1c0a6022--><script>alert('XMCO');</script>

http://img258.imageshack.us/img258/3708/formao0.png



2) I see my contact list (page: 
'/horde/services/obrowser/?path=turba/localsql:heremylogin')

and there is a XSS

http://img246.imageshack.us/img246/5604/xsswt6.png



So, if this security bug is fixed, which version is not vulnerable ?



Regards
06/12/2008 06:24:58 PM Chuck Hagenbuch Comment #3 Reply to this comment
Well, there was another problem, but not in add.php itself - are you 
saying the vulnerability you see is on the add form itself?
06/12/2008 05:01:50 PM Chuck Hagenbuch Comment #2
State ⇒ Feedback		 Reply to this comment
Yes, it is.
06/12/2008 04:28:54 PM nicolas (dot) kerschenbaum (at) xmcopartners (dot) com Comment #1
State ⇒ Unconfirmed
Milestone ⇒
Queue ⇒ Turba
Due ⇒ 06/10/2008
Summary ⇒ The parameter 'object[name]' is not sanitized in the page '/horde/turba/add.php'
Type ⇒ Bug
Priority ⇒ 2. Medium		 Reply to this comment
Hello,



I found a security hole in Turba H3 2.1.7

This is a Cross Site Scripting (XSS) vulnerability.

The parameter 'object[name]' is not sanitized in the page 
'/horde/turba/add.php'



POC:



<input type="text" name="object[name]" id="object[name]" size="40" 
value="<!--a75c305b1c0a6022--><script>alert('XSS by Nicolas 
Kerschenbaum');</script>"  maxlength="255" />







Could you tell me if this vulnerability is corrected in the last 
version of turba (2.2).



Regards



Nicolas Kerschenbaum
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers