| Summary | XSS Vulnerability |
| Queue | Gollem |
| Queue Version | 1.1.1 |
| Type | Bug |
| State | Resolved |
| Priority | 3. High |
| Owners | slusarz (at) horde (dot) org |
| Requester | nightmare.lmw (at) anarchynet (dot) org |
| Created | 08/21/2010 (5386 days ago) |
| Due | |
| Updated | 10/12/2022 (951 days ago) |
| Assigned | |
| Resolved | 08/24/2010 (5383 days ago) |
| Milestone | |
| Patch | Yes |
Assigned to Michael Slusarz
State ⇒ Resolved
http://lists.horde.org/archives/commits/2010-August/004747.html
This has been fixed in 1.1.2, although slightly different from your
patch - we instead use the Horde::fatal() function which is the
preferred way of reporting these kind of errors anyway.
Thank you for your report.
Bug: 9191Submitted by: nightmare.lmw@anarchynet.org
Fix CSS vulnerability when viewing file data.
http://cvs.horde.org/diff.php/gollem/docs/CHANGES?rt=horde&r1=1.114.2.57&r2=1.114.2.58&ty=u
http://cvs.horde.org/diff.php/gollem/view.php?rt=horde&r1=1.51.2.6&r2=1.51.2.7&ty=u
Priority ⇒ 3. High
New Attachment: view.php.patched
Patch ⇒ Yes
Milestone ⇒
Queue ⇒ Gollem
Summary ⇒ XSS Vulnerability
Type ⇒ Bug
State ⇒ Unconfirmed
Exploit :
http://localhost/horde/gollem/view.php?actionID=view_file&type=txt&file=<!--a75c305b1c0a6022--><script>alert("XSS")</script>&dir=../baddir/&driver=file
Vulnerable file : view.php (Line 32 - 46)
Vulnerable code :
if (is_callable(array($GLOBALS['gollem_vfs'], 'readStream'))) {
$stream = $GLOBALS['gollem_vfs']->readStream($filedir, $filename);
if (is_a($stream, 'PEAR_Error')) {
Horde::logMessage($stream, __FILE__, __LINE__, PEAR_LOG_NOTICE);
printf(_("Access denied to %s"), $filename);
exit;
}
} else {
$data = $GLOBALS['gollem_vfs']->read($filedir, $filename);
if (is_a($data, 'PEAR_Error')) {
Horde::logMessage($data, __FILE__, __LINE__, PEAR_LOG_NOTICE);
printf(_("Access denied to %s"), $filename);
exit;
}
}
I hope you fix the vulnerability asap. Patch in attachment.
Have a nice day.
Nicolas C. [NightMareLmW From DevSec]