Hi What the attacker can do is the following: * Set up a fake site. * Trick some user to go to that site. * Redirect the user to the real site and inject some fake login code or similar.
There are proof on security focus that it is possible: [Base_HREF]/horde/[Horde_App]/login.php?new_lang=%22%3E%3Cbody%20onload=%22alert%28'XSS'%29%3B I could not really understand how that is possible as the only place where the code do not look like this: isset($GLOBALS['nls']['rtl'][$GLOBALS['language']] is in the mobild device handling code... However I have tested myself and yes it is possible to do this kind of XSS things, so it must be some other variable that is set somewhere. In any case I'm uploading the sid version now. Regards, // Ola On Sun, Jul 22, 2007 at 09:06:48AM +0200, Gregory Colpart wrote: > Hello, > > The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045). > Affected versions are: > - sarge version (3.0.4-4sarge4) > - etch version (3.1.3-4) > - tesing/unstable version (3.1.3-5) > > > Upstream patch is trivial > (http://bugs.horde.org/ticket/?id=4816): > > 8<---------------------------------- > - } elseif (!empty($lang)) { > + } elseif (!empty($lang) && NLS::isValid($lang)) { > 8<---------------------------------- > > > I prepared fixed packages: > > - sarge version > http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz > http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc > http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff > > - etch version > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff > > - unstable version > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc > http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff > > Note that I'm member of pkg-horde team but I'm not DD, then > I am waiting my sponsor upload unstable package. > > > If you want to test the vulnerability, you could go to: > http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B > (I can provide you vulnerable URL in private if you want) > > > Information for the advisory: > > 8<---------------------------------- > horde3 -- XSS vulnerability > > Date Reported: > ?? Jul 2007 > Affected Packages: > horde3 > Vulnerable: > Yes > Security database references: > In Mitre's CVE dictionary: CVE-2007-1473 > More information: > > It was discovered that the Horde web application framework has a cross-site > scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote > attackers > to inject arbitrary web script or HTML via the new_lang parameter. > > The old stable distribution (sarge) this problem has been fixed in version > 3.0.4-4sarge5. > > For the stable distribution (etch) this problem has been fixed in version > 3.1.3-4etch1. > > For the unstable distribution (sid) this problem has been fixed in version > 3.1.4-1. > > We recommend that you upgrade your horde3 package. > 8<---------------------------------- > > > Regards, > -- > Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E > Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ > -- --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ---- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | http://opalsys.net/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
