Bug 452209 - (CVE-2008-2783) CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts
CVE-2008-2783 kronolith: XSS via timestamp parameter of multiple scripts
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
public=20080524,reported=20080619,sou...
: Security
Depends On: 665435
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-20 04:41 EDT by Tomas Hoger
Modified: 2016-03-04 06:35 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 14:26:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-06-20 04:41:24 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2783 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI.  NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Refences:
http://www.securityfocus.com/bid/29365
http://xforce.iss.net/xforce/xfdb/42640
Comment 2 Nigel Jones 2008-06-20 08:38:39 EDT
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
I'd agree with that view, I can't see anything.
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS>
> http://www.example.com/horde/kronolith/horde=<XSS>
> 
> Do these work for anyone?

I'll take a look at this when I wake up in the morning, I've had some 2.2
updates mostly ready, but I think think this is slightly more urgent.
Comment 3 Nigel Jones 2008-06-21 23:32:18 EDT
(In reply to comment #1)
> I do not see this mentioned on the upstream page, nor any related changes in the
> upstream CVS.  BID provides some sample test cases:
> 
> http://www.securityfocus.com/bid/29365/exploit
> 
> http://www.example.com/horde/kronolith/week.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS>
Can not reproduce
> http://www.example.com/horde/kronolith/horde=<XSS>
404
> 
> Do these work for anyone?
Doesn't work under a default install on Fedora 9, even with debug logging
configured, I can't see this occurring.

It may be due to some special voodoo that occurs in the Spec file that means it
doesn't happen here, but from my eyes (which may have missed something) I can't
see the issue.
Comment 4 Tomas Hoger 2008-06-23 13:48:10 EDT
I suspect you also tried variants like timestamp=<XSS> (not sure if those gt/lt
were added by securityfocus or were intentional).
Comment 5 Vincent Danen 2010-12-23 14:16:15 EST
Created kronolith tracking bugs for this issue

Affects: fedora-all [bug 665435]
Comment 6 Vincent Danen 2010-12-23 14:26:50 EST
Do we know if this is still valid?  I've not been able to find any information on whether or not this has been corrected upstream or not.  I have no idea if this is still valid.

Does anyone know?  It's quite old.  I have filed a Fedora tracker so it doesn't get lost, but am closing the top-level bug as there is no additional information I can find.  If this is no longer relevant, please feel free to close the corresponding Fedora tracker.

Looking through the changelog, the last mention of XSS fixes was 2.0.6, and in our spec there is a note about a fixed XSS in 2.1.8.  And I see nothing recent in git or older in their CVS repository.

I'm closing this as NOTABUG since it doesn't look like upstream has (or the problem is not in kronolith at all).

In fact, I'm going to close the Fedora bug as well.  I'd be surprised if a legitimate XSS vuln has persisted for 2.5 years.

Note You need to log in before you can comment on or make changes to this bug.