Bug 461887 - (CVE-2008-3824) CVE-2008-3824 horde: XSS via unescaped '/' characters (oCERT-2008-012)
CVE-2008-3824 horde: XSS via unescaped '/' characters (oCERT-2008-012)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-11 03:40 EDT by Tomas Hoger
Modified: 2010-04-02 06:37 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-02 06:37:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-09-11 03:40:26 EDT
oCERT reported an XSS vulnerability discovered by Alexios Fakos affecting horde:

  Horde relies on code similar to Popoon's externalinput.php to filter out
  potential XSS attacks on user-supplied input. This filter, and the original,
  fail to fully sanitize user data. In particular, this filter fails to protect
  against '/'s acting as spaces in both Microsoft Internet Explorer and Mozilla
  Firefox.

  For example, the following snippet, supplied by the reporter, is treated as
  valid by the browsers but safe by the filter: <body/onload=alert(/w00w00/)> 

According to oCERT, this affects 3.1.x and 3.2.x versions of Horde, possibly others.

References:
http://www.ocert.org/advisories/ocert-2008-012.html

Patch:
http://ocert.org/patches/2008-012/Text_Filter.patch (for 3.2.x)
Comment 1 Tomas Hoger 2008-09-11 15:30:10 EDT
Advisory from the reporter:
  http://marc.info/?l=full-disclosure&m=122113958319123&w=4
Comment 2 Chris Croome 2008-12-25 18:26:41 EST
Horde Application Framework version 3.2.2 announced on September 10th 2008
fixed this:

  The Horde Team is pleased to announce the final release of the Horde
  Application Framework version 3.2.2.

  This is a security release that fixes unescaped output in the MIME library
  (CVE-2008-3823), and further improves the XSS filter for HTML messages
  (CVE-2008-3824). The unescaped output vulnerability can be triggered by sending
  specially crafted e-mail messages to Horde users, if they use a Horde mail
  client. All users are encouraged to upgrade to this version.

  The major changes compared to the Horde version H3 (3.2.1) are:
       * Fixed unescaped output in the MIME library.
       * Further improved the XSS filter for HTML.

  http://lists.horde.org/archives/announce/2008/000429.html

In addition on December 10th 2008 version 3.2.3 was released:

  This is a minor security release that adds another check to the XSS filter for
  an Internet Explorer exploit. All users are encouraged to upgrade to this
  version.

  The major changes compared to the Horde version H3 (3.2.2) are:
       * Added another check to the XSS filter (only IE is vulnerable).

  http://lists.horde.org/archives/announce/2008/000462.html

There is also a 3.3.2 version but I guess that this would be a more complicated
upgrade.

I haven't tested for this XSS exploit -- my interest in a 3.2.2 version of
Horde is so that I can install Ansel:

  Ansel 1.0 requires version 3.2.2 or greater of the Horde Framework - earlier
versions of Horde will not work.

  http://www.horde.org/ansel/docs/?f=INSTALL.html#prerequisites

I'm using the epel-5 package.
Comment 3 Fedora Update System 2010-03-29 13:58:27 EDT
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11
Comment 4 Fedora Update System 2010-03-29 13:58:58 EDT
horde-3.3.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc12
Comment 5 Fedora Update System 2010-03-29 14:00:48 EDT
horde-3.3.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc13
Comment 6 Fedora Update System 2010-03-29 14:01:31 EDT
horde-3.3.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.el5
Comment 7 Fedora Update System 2010-03-31 21:39:57 EDT
horde-3.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-03-31 21:50:11 EDT
horde-3.3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-04-01 13:20:20 EDT
horde-3.3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-04-01 17:04:57 EDT
horde-3.3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.