Bug 452209 (CVE-2008-2783) - CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts
Summary: CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-2783
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 665435
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-20 08:41 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-23 19:26:50 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-06-20 08:41:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2783 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI.  NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Refences:
http://www.securityfocus.com/bid/29365
http://xforce.iss.net/xforce/xfdb/42640

Comment 2 Nigel Jones 2008-06-20 12:38:39 UTC
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
I'd agree with that view, I can't see anything.
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/horde=<XSS>
> 
> Do these work for anyone?

I'll take a look at this when I wake up in the morning, I've had some 2.2
updates mostly ready, but I think think this is slightly more urgent.

Comment 3 Nigel Jones 2008-06-22 03:32:18 UTC
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/horde=<XSS>
404
> 
> Do these work for anyone?
Doesn't work under a default install on Fedora 9, even with debug logging
configured, I can't see this occurring.

It may be due to some special voodoo that occurs in the Spec file that means it
doesn't happen here, but from my eyes (which may have missed something) I can't
see the issue.

Comment 4 Tomas Hoger 2008-06-23 17:48:10 UTC
I suspect you also tried variants like timestamp=<XSS> (not sure if those gt/lt
were added by securityfocus or were intentional).

Comment 5 Vincent Danen 2010-12-23 19:16:15 UTC
Created kronolith tracking bugs for this issue

Affects: fedora-all [bug 665435]

Comment 6 Vincent Danen 2010-12-23 19:26:50 UTC
Do we know if this is still valid?  I've not been able to find any information on whether or not this has been corrected upstream or not.  I have no idea if this is still valid.

Does anyone know?  It's quite old.  I have filed a Fedora tracker so it doesn't get lost, but am closing the top-level bug as there is no additional information I can find.  If this is no longer relevant, please feel free to close the corresponding Fedora tracker.

Looking through the changelog, the last mention of XSS fixes was 2.0.6, and in our spec there is a note about a fixed XSS in 2.1.8.  And I see nothing recent in git or older in their CVS repository.

I'm closing this as NOTABUG since it doesn't look like upstream has (or the problem is not in kronolith at all).

In fact, I'm going to close the Fedora bug as well.  I'd be surprised if a legitimate XSS vuln has persisted for 2.5 years.


Note You need to log in before you can comment on or make changes to this bug.