Bug 480818 (CVE-2008-5917)

Summary: CVE-2008-5917 horde: IE-specific XSS via image style attribute
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dev, j
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-02 10:37:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-01-20 17:46:36 UTC 
Horde framework upstream versions 3.2.3 and 3.3.1 improve XSS filter to catch one reportedly MSIE specific XSS issue:
  * Added another check to the XSS filter (only IE is vulnerable).

Release announcements:
http://lists.horde.org/archives/announce/2008/000462.html (3.2.3)
http://lists.horde.org/archives/announce/2008/000464.html (3.3.1)

Patch:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413.2.1&r2=1.515.2.413.2.3&ty=h
http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18

Test cases:
http://cvs.horde.org/diff.php/framework/Text_Filter/tests/xss.phpt?r1=1.1.2.3&r2=1.1.2.4
http://cvs.horde.org/framework/Text_Filter/tests/xss100.html

xss100.html is:
  <img src='blank.jpg'style='width:expression(alert("xssed"))'>
Comment 1 Tomas Hoger 2009-01-20 17:48:17 UTC 
Bump to upstream 3.2.3 should also fix other two horde XSS issue not yet fixed in Fedora: bug #461886 and bug #461886.  All changes between 3.2.1 and 3.2.3 seem to be related to XSS fixes.
Comment 2 Tomas Hoger 2009-01-21 07:43:22 UTC 
CVE-2008-5917:
Cross-site scripting (XSS) vulnerability in the XSS filter
(framework/Text_Filter/Filter/xss.php) in Horde Application Framework
3.2.2 and 3.3, when Internet Explorer is being used, allows remote
attackers to inject arbitrary web script or HTML via unknown vectors
related to style attributes.
Comment 3 Fedora Update System 2010-03-29 17:58:32 UTC 
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11
Comment 4 Fedora Update System 2010-03-29 17:59:02 UTC 
horde-3.3.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc12
Comment 5 Fedora Update System 2010-03-29 18:00:53 UTC 
horde-3.3.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc13
Comment 6 Fedora Update System 2010-03-29 18:01:35 UTC 
horde-3.3.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.el5
Comment 7 Fedora Update System 2010-04-01 01:40:02 UTC 
horde-3.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-04-01 01:50:15 UTC 
horde-3.3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-04-01 17:20:25 UTC 
horde-3.3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-04-01 21:05:02 UTC 
horde-3.3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.