Bug 523407 (CVE-2009-3237)

Summary: CVE-2009-3237 Horde: XSS in "number" type preferences and in MIME rendering
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.horde.org/ticket/?id=8399
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-02 10:36:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 538227    
Bug Blocks: 523401    

Description Jan Lieskovsky 2009-09-15 11:39:27 UTC 
Multiple cross-site scripting (XSS) flaws were identified in Horde:
===================================================================

Flaw #1 - XSS in "number" type preferences:
-------------------------------------------

An improper input validation was found in the way Horde used to process
certain numerical values, provided as HTTP form fields in the preferences
user interface. A remote attacker could issue a specially-crafted HTTP
submit form request, leading to cross-site scripting (XSS).

References:
----------
http://bugs.horde.org/ticket/?id=8399
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://secunia.com/advisories/36665/2/
http://bugs.gentoo.org/show_bug.cgi?id=285052

Upstream patch:
---------------
http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz

CVE request:
------------
http://www.openwall.com/lists/oss-security/2009/09/15/4
http://www.openwall.com/lists/oss-security/2009/09/15/5

Affected Fedora Horde versions:
--------------------------------
This issue affects the versions of the Horde package, as shipped with Fedora
releases of 10 and 11, and as shipped within EPEL-5 project.
Comment 1 Jan Lieskovsky 2009-09-15 11:40:20 UTC 
Flaw #2 - XSS in MIME rendering:
--------------------------------

An improper input validation was found in the way Horde used to render
certain MIME fields. A remote attacker could provide a specially-crafted
MIME field content, leading to cross-site scripting (XSS), once rendered
by a local, valid Horde user.

References:
-----------
http://bugs.horde.org/ticket/?id=8311
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://secunia.com/advisories/36665/2/
http://bugs.gentoo.org/show_bug.cgi?id=285052

Upstream patch:
---------------
http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz

CVE request:
------------
http://www.openwall.com/lists/oss-security/2009/09/15/4
http://www.openwall.com/lists/oss-security/2009/09/15/5  

Affected Fedora Horde versions:
-------------------------------
This issue affects the versions of the Horde package, as shipped with Fedora
releases of 10 and 11, and as shipped within EPEL-5 project.
Comment 2 Jan Lieskovsky 2009-09-17 08:20:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier  CVE-2009-3237 to
the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in Horde
Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware
1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition
1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to
inject arbitrary web script or HTML via the (1) crafted number
preferences that are not properly handled in the preference system
(services/prefs.php), as demonstrated by the sidebar_width parameter;
or (2) crafted unknown MIME "text parts" that are not properly handled
in the MIME viewer library (config/mime_drivers.php).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3237
http://marc.info/?l=horde-announce&m=125292088004087&w=2
http://marc.info/?l=horde-announce&m=125294558611682&w=2
http://marc.info/?l=horde-announce&m=125292314007049&w=2
http://marc.info/?l=horde-announce&m=125295852706029&w=2
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://marc.info/?l=horde-announce&m=125292339907481&w=2
http://bugs.horde.org/ticket/?id=8311
http://bugs.horde.org/ticket/?id=8399
http://www.osvdb.org/58108
http://www.osvdb.org/58109
http://secunia.com/advisories/36665
http://xforce.iss.net/xforce/xfdb/53202
Comment 3 Jan Lieskovsky 2009-09-17 08:22:22 UTC 
*** Bug 523410 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2010-03-29 17:51:51 UTC 
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11
Comment 6 Fedora Update System 2010-03-29 17:54:03 UTC 
horde-3.3.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc12
Comment 7 Fedora Update System 2010-03-29 17:55:23 UTC 
horde-3.3.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc13
Comment 8 Fedora Update System 2010-03-29 18:01:18 UTC 
horde-3.3.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.el5
Comment 9 Fedora Update System 2010-04-01 01:39:41 UTC 
horde-3.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-04-01 01:49:59 UTC 
horde-3.3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-04-01 17:20:06 UTC 
horde-3.3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-01 21:04:44 UTC 
horde-3.3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.