6.0.0-git
2016-12-06

[#9191] XSS Vulnerability
Summary XSS Vulnerability
Queue Gollem
Queue Version 1.1.1
Type Bug
State Resolved
Priority 3. High
Owners slusarz (at) horde (dot) org
Requester nightmare.lmw (at) anarchynet (dot) org
Created 2010-08-21 (2299 days ago)
Due
Updated 2010-08-24 (2296 days ago)
Assigned
Resolved 2010-08-24 (2296 days ago)
Milestone
Patch Yes

History
2010-08-24 18:38:26 Michael Slusarz Comment #3
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Git master fix:
http://lists.horde.org/archives/commits/2010-August/004747.html

This has been fixed in 1.1.2, although slightly different from your 
patch - we instead use the Horde::fatal() function which is the 
preferred way of reporting these kind of errors anyway.

Thank you for your report.
2010-08-21 14:20:21 nightmare (dot) lmw (at) anarchynet (dot) org Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ XSS Vulnerability
Queue ⇒ Gollem
Milestone ⇒
Patch ⇒ Yes
New Attachment: view.php.patched Download
Reply to this comment
I have found a Cross Site Scripting vulnerability in Gollem,

Exploit : 
http://localhost/horde/gollem/view.php?actionID=view_file&type=txt&file=<script>alert("XSS")</script>&dir=../baddir/&driver=file

Vulnerable file : view.php (Line 32 - 46)

Vulnerable code :

if (is_callable(array($GLOBALS['gollem_vfs'], 'readStream'))) {
     $stream = $GLOBALS['gollem_vfs']->readStream($filedir, $filename);
     if (is_a($stream, 'PEAR_Error')) {
         Horde::logMessage($stream, __FILE__, __LINE__, PEAR_LOG_NOTICE);
         printf(_("Access denied to %s"), $filename);
         exit;
     }
} else {
     $data = $GLOBALS['gollem_vfs']->read($filedir, $filename);
     if (is_a($data, 'PEAR_Error')) {
         Horde::logMessage($data, __FILE__, __LINE__, PEAR_LOG_NOTICE);
         printf(_("Access denied to %s"), $filename);
         exit;
     }
}

I hope you fix the vulnerability asap. Patch in attachment.

Have a nice day.

Nicolas C. [NightMareLmW From DevSec]

Saved Queries