Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2783 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Refences: http://www.securityfocus.com/bid/29365 http://xforce.iss.net/xforce/xfdb/42640
I do not see this mentioned on the upstream page, nor any related changes in the upstream CVS. BID provides some sample test cases: http://www.securityfocus.com/bid/29365/exploit http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> http://www.example.com/horde/kronolith/horde=<XSS> Do these work for anyone?
(In reply to comment #1) > I do not see this mentioned on the upstream page, nor any related changes in the > upstream CVS. BID provides some sample test cases: I'd agree with that view, I can't see anything. > > http://www.securityfocus.com/bid/29365/exploit > > http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> > http://www.example.com/horde/kronolith/horde=<XSS> > > Do these work for anyone? I'll take a look at this when I wake up in the morning, I've had some 2.2 updates mostly ready, but I think think this is slightly more urgent.
(In reply to comment #1) > I do not see this mentioned on the upstream page, nor any related changes in the > upstream CVS. BID provides some sample test cases: > > http://www.securityfocus.com/bid/29365/exploit > > http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> Can not reproduce > http://www.example.com/horde/kronolith/horde=<XSS> 404 > > Do these work for anyone? Doesn't work under a default install on Fedora 9, even with debug logging configured, I can't see this occurring. It may be due to some special voodoo that occurs in the Spec file that means it doesn't happen here, but from my eyes (which may have missed something) I can't see the issue.
I suspect you also tried variants like timestamp=<XSS> (not sure if those gt/lt were added by securityfocus or were intentional).
Created kronolith tracking bugs for this issue Affects: fedora-all [bug 665435]
Do we know if this is still valid? I've not been able to find any information on whether or not this has been corrected upstream or not. I have no idea if this is still valid. Does anyone know? It's quite old. I have filed a Fedora tracker so it doesn't get lost, but am closing the top-level bug as there is no additional information I can find. If this is no longer relevant, please feel free to close the corresponding Fedora tracker. Looking through the changelog, the last mention of XSS fixes was 2.0.6, and in our spec there is a note about a fixed XSS in 2.1.8. And I see nothing recent in git or older in their CVS repository. I'm closing this as NOTABUG since it doesn't look like upstream has (or the problem is not in kronolith at all). In fact, I'm going to close the Fedora bug as well. I'd be surprised if a legitimate XSS vuln has persisted for 2.5 years.