Bug 464210 (CVE-2008-4182)

Summary:

CVE-2008-4182 turba / imp: XSS attack

Product:

[Other] Security Response

Reporter:

Josh Bressers <bressers>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

j, nb

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

URL:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4182

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2010-07-27 05:26:25 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

464211, 464212, 464213

Bug Blocks:

Attachments:

Description	Flags
IMP fix	none
Turba fix	none

Description Josh Bressers 2008-09-26 18:30:47 UTC

Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba and
IMP, allows remote attackers to inject arbitrary web script or HTML via the
User field in an IMAP session.

http://packetstormsecurity.org/0809-exploits/turba-xss.txt
http://www.securityfocus.com/bid/31168
http://xforce.iss.net/xforce/xfdb/45131


The patches can be found here:
http://cvs.horde.org/diff.php/imp/test.php?r1=1.70&r2=1.71
http://cvs.horde.org/diff.php/turba/test.php?r1=1.22&r2=1.23

Comment 2 Nigel Jones 2008-09-27 06:50:42 UTC

Thanks Josh, I'll take a look and hopefully push a fix tonight.

Comment 3 Nigel Jones 2008-09-27 11:58:11 UTC

(In reply to comment #2)
> Thanks Josh, I'll take a look and hopefully push a fix tonight.

Hmm, I didn't get the fix in today, on a side note, it seems that out of the bax, the latest releases also have this bug, (IMP 4.3 and Turba 2.3), whats the accepted way of pushing this info upwards?

Comment 4 Tomas Hoger 2010-03-29 18:38:39 UTC

IMP part should be fixed in 4.2.1:
http://lists.horde.org/archives/announce/2008/000460.html

TURBA part should be fixed in 2.2.2:
http://lists.horde.org/archives/announce/2008/000461.html

Comment 5 Fedora Update System 2010-03-29 18:42:29 UTC

imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/imp-4.3.6-1.fc11

Comment 6 Fedora Update System 2010-04-01 01:46:03 UTC

imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Tomas Hoger 2010-07-26 08:01:31 UTC

Created attachment 434358 [details]
IMP fix

Adding patch here for posterity, as upstream site does not longer provide web interface for browsing CVS repository, only new GIT repository is available.

Comment 8 Tomas Hoger 2010-07-26 08:02:00 UTC

Created attachment 434359 [details]
Turba fix

Comment 9 Fedora Update System 2010-07-27 02:38:30 UTC

turba-2.3-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-07-27 02:50:36 UTC

turba-2.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.