Bug 490932 (CVE-2009-0931, CVE-2009-0932)

Summary: CVE-2009-0931 CVE-2009-0932 horde: XSS vulnerability and directory traversal vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dev, thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0931
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-02 10:36:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 544429    
Bug Blocks:    

Description Vincent Danen 2009-03-18 15:48:03 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0931 to
the following vulnerability:

Name: CVE-2009-0931
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0931
Assigned: 20090317
Reference: MLIST:[announce] 20090127 Horde 3.2.4 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000483.html
Reference: MLIST:[announce] 20090127 Horde 3.3.3 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000482.html
Reference: MLIST:[announce] 20090127 Horde Groupware 1.1.5 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000486.html
Reference: CONFIRM: http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5
Reference: CONFIRM: http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5
Reference: CONFIRM: http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503
Reference: BID:33491
Reference: URL: http://www.securityfocus.com/bid/33491
Reference: SECUNIA:33695
Reference: URL: http://secunia.com/advisories/33695

Cross-site scripting (XSS) vulnerability in the tag cloud search
script (horde/services/portal/cloud_search.php) in Horde before 3.2.4
and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers
to inject arbitrary web script or HTML via unspecified vectors.
Comment 1 Vincent Danen 2009-03-18 15:50:49 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0932 to
the following vulnerability:

Name: CVE-2009-0932
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0932
Assigned: 20090317
Reference: MLIST:[announce] 20090127 Horde 3.2.4 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000483.html
Reference: MLIST:[announce] 20090127 Horde 3.3.3 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000482.html
Reference: MLIST:[announce] 20090127 Horde Groupware 1.1.5 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000486.html
Reference: CONFIRM: http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5
Reference: CONFIRM: http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5
Reference: CONFIRM: http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503
Reference: BID:33491
Reference: URL: http://www.securityfocus.com/bid/33491
Reference: SECUNIA:33695
Reference: URL: http://secunia.com/advisories/33695

Directory traversal vulnerability in framework/Image/Image.php in
Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows
remote attackers to include and execute arbitrary local files via
directory traversal sequences in the Horde_Image driver name.
Comment 2 Tomas Hoger 2009-03-25 09:35:03 UTC 
Short summary with links to relevant patches:

Horde 3.2.4 and 3.3.3:
     * SECURITY: Fix unescaped output in the tag cloud block
     * SECURITY: Fix unvalidated Horde_Image driver name

http://lists.horde.org/archives/announce/2009/000483.html
http://lists.horde.org/archives/announce/2009/000482.html
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413.2.3&r2=1.515.2.413.2.5&ty=h

Patches:
http://cvs.horde.org/diff.php/horde/services/portal/cloud_search.php?r1=1.1.2.2&r2=1.1.2.2.4.1
http://cvs.horde.org/diff.php/framework/Image/Image.php?r1=1.39.10.17&r2=1.39.10.17.4.1
Comment 4 Vincent Danen 2009-12-04 21:04:16 UTC 
Current Fedora contains 3.2.1, so it either must be patched with the above-noted patches, or updated to 3.2.4 or later.
Comment 5 Tomas Hoger 2010-03-29 17:48:40 UTC 
*** Bug 484389 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2010-03-29 17:51:59 UTC 
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11
Comment 7 Fedora Update System 2010-03-29 17:52:07 UTC 
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11
Comment 8 Fedora Update System 2010-03-29 17:54:07 UTC 
horde-3.3.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc12
Comment 9 Fedora Update System 2010-03-29 17:55:27 UTC 
horde-3.3.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc13
Comment 10 Fedora Update System 2010-03-29 18:01:22 UTC 
horde-3.3.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.el5
Comment 11 Fedora Update System 2010-04-01 01:39:46 UTC 
horde-3.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-01 01:50:03 UTC 
horde-3.3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-04-01 17:20:11 UTC 
horde-3.3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-04-01 21:04:48 UTC 
horde-3.3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.