Bug 452209 (CVE-2008-2783)
Summary: | CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | j, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2783 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-23 19:26:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 665435 | ||
Bug Blocks: |
Description
Tomas Hoger
2008-06-20 08:41:24 UTC
I do not see this mentioned on the upstream page, nor any related changes in the upstream CVS. BID provides some sample test cases: http://www.securityfocus.com/bid/29365/exploit http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> http://www.example.com/horde/kronolith/horde=<XSS> Do these work for anyone? (In reply to comment #1) > I do not see this mentioned on the upstream page, nor any related changes in the > upstream CVS. BID provides some sample test cases: I'd agree with that view, I can't see anything. > > http://www.securityfocus.com/bid/29365/exploit > > http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/horde=<XSS> > > Do these work for anyone? I'll take a look at this when I wake up in the morning, I've had some 2.2 updates mostly ready, but I think think this is slightly more urgent. (In reply to comment #1) > I do not see this mentioned on the upstream page, nor any related changes in the > upstream CVS. BID provides some sample test cases: > > http://www.securityfocus.com/bid/29365/exploit > > http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/horde=<XSS> 404 > > Do these work for anyone? Doesn't work under a default install on Fedora 9, even with debug logging configured, I can't see this occurring. It may be due to some special voodoo that occurs in the Spec file that means it doesn't happen here, but from my eyes (which may have missed something) I can't see the issue. I suspect you also tried variants like timestamp=<XSS> (not sure if those gt/lt were added by securityfocus or were intentional). Created kronolith tracking bugs for this issue Affects: fedora-all [bug 665435] Do we know if this is still valid? I've not been able to find any information on whether or not this has been corrected upstream or not. I have no idea if this is still valid. Does anyone know? It's quite old. I have filed a Fedora tracker so it doesn't get lost, but am closing the top-level bug as there is no additional information I can find. If this is no longer relevant, please feel free to close the corresponding Fedora tracker. Looking through the changelog, the last mention of XSS fixes was 2.0.6, and in our spec there is a note about a fixed XSS in 2.1.8. And I see nothing recent in git or older in their CVS repository. I'm closing this as NOTABUG since it doesn't look like upstream has (or the problem is not in kronolith at all). In fact, I'm going to close the Fedora bug as well. I'd be surprised if a legitimate XSS vuln has persisted for 2.5 years. |