Bug 452549 (CVE-2008-6746)

Summary: CVE-2008-6746 turba: XSS issue in the contact view
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-27 11:16:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-06-23 17:35:48 UTC 
New turba upstream version 2.2.1 was released to address XSS issue in the
contact view.

Note in upstream changelog:
  SECURITY: Escape contact names in the contact display view.

Upstream patch:
http://cvs.horde.org/diff.php/turba/contact.php?r1=1.11&r2=1.12

2.2.1 announcement:
http://lists.horde.org/archives/announce/2008/000414.html
http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.181.2.165&r2=1.181.2.170&ty=h

Other references:
http://secunia.com/advisories/30697/

Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
is appreciated though.
Comment 1 Fedora Update System 2008-06-24 04:29:40 UTC 
turba-2.2.1-1.fc9 has been submitted as an update for Fedora 9
Comment 2 Fedora Update System 2008-06-24 04:30:45 UTC 
turba-2.2.1-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Nigel Jones 2008-06-24 04:37:07 UTC 
(In reply to comment #0)
> Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
> currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
> is appreciated though.

Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
updates as security though.

Also EPEL-5 now has an updated version (2.2.1).
Comment 4 Fedora Update System 2008-06-25 02:51:20 UTC 
turba-2.2.1-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update turba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5652
Comment 5 Tomas Hoger 2008-06-25 14:39:44 UTC 
(In reply to comment #3)

> Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
> updates as security though.

Given the information in comment #0, I changed them to enhancement.  Feel free
to request stable as needed.  Sorry for the delay.
Comment 6 Tomas Hoger 2008-08-27 11:16:58 UTC 
No further action needed here, closing.
Comment 7 Tomas Hoger 2009-04-24 07:25:07 UTC 
CVE-2008-6746:

Cross-site scripting (XSS) vulnerability in the contact display view
in Turba Contact Manager H3 before 2.2.1 allows remote attackers to
inject arbitrary web script or HTML via the contact name.