Bug 452209 (CVE-2008-2783)

Summary: CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: j, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2783
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 19:26:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 665435    
Bug Blocks:    

Description Tomas Hoger 2008-06-20 08:41:24 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2783 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI.  NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Refences:
http://www.securityfocus.com/bid/29365
http://xforce.iss.net/xforce/xfdb/42640
Comment 1 Tomas Hoger 2008-06-20 08:47:30 UTC 
I do not see this mentioned on the upstream page, nor any related changes in the
upstream CVS.  BID provides some sample test cases:

http://www.securityfocus.com/bid/29365/exploit

http://www.example.com/horde/kronolith/week.php?timestamp=&lt;XSS&gt;
http://www.example.com/horde/kronolith/workweek.php?timestamp=&lt;XSS&gt;
http://www.example.com/horde/kronolith/day.php?timestamp=&lt;XSS&gt;
http://www.example.com/horde/kronolith/horde=&lt;XSS&gt;

Do these work for anyone?
Comment 2 Nigel Jones 2008-06-20 12:38:39 UTC 
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
I'd agree with that view, I can't see anything.
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=&lt;XSS&gt;
> http://www.example.com/horde/kronolith/workweek.php?timestamp=&lt;XSS&gt;
> http://www.example.com/horde/kronolith/day.php?timestamp=&lt;XSS&gt;
> http://www.example.com/horde/kronolith/horde=&lt;XSS&gt;
> 
> Do these work for anyone?

I'll take a look at this when I wake up in the morning, I've had some 2.2
updates mostly ready, but I think think this is slightly more urgent.
Comment 3 Nigel Jones 2008-06-22 03:32:18 UTC 
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=&lt;XSS&gt;
Can not reproduce
> http://www.example.com/horde/kronolith/workweek.php?timestamp=&lt;XSS&gt;
Can not reproduce
> http://www.example.com/horde/kronolith/day.php?timestamp=&lt;XSS&gt;
Can not reproduce
> http://www.example.com/horde/kronolith/horde=&lt;XSS&gt;
404
> 
> Do these work for anyone?
Doesn't work under a default install on Fedora 9, even with debug logging
configured, I can't see this occurring.

It may be due to some special voodoo that occurs in the Spec file that means it
doesn't happen here, but from my eyes (which may have missed something) I can't
see the issue.
Comment 4 Tomas Hoger 2008-06-23 17:48:10 UTC 
I suspect you also tried variants like timestamp=<XSS> (not sure if those gt/lt
were added by securityfocus or were intentional).
Comment 5 Vincent Danen 2010-12-23 19:16:15 UTC 
Created kronolith tracking bugs for this issue

Affects: fedora-all [bug 665435]
Comment 6 Vincent Danen 2010-12-23 19:26:50 UTC 
Do we know if this is still valid?  I've not been able to find any information on whether or not this has been corrected upstream or not.  I have no idea if this is still valid.

Does anyone know?  It's quite old.  I have filed a Fedora tracker so it doesn't get lost, but am closing the top-level bug as there is no additional information I can find.  If this is no longer relevant, please feel free to close the corresponding Fedora tracker.

Looking through the changelog, the last mention of XSS fixes was 2.0.6, and in our spec there is a note about a fixed XSS in 2.1.8.  And I see nothing recent in git or older in their CVS repository.

I'm closing this as NOTABUG since it doesn't look like upstream has (or the problem is not in kronolith at all).

In fact, I'm going to close the Fedora bug as well.  I'd be surprised if a legitimate XSS vuln has persisted for 2.5 years.