Bug 523407 (CVE-2009-3237) - CVE-2009-3237 Horde: XSS in "number" type preferences and in MIME rendering
Summary: CVE-2009-3237 Horde: XSS in "number" type preferences and in MIME rendering
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3237
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.horde.org/ticket/?id=8399
Whiteboard:
: 523410 (view as bug list)
Depends On: 538227
Blocks: CVE-2009-3236
TreeView+ depends on / blocked
 
Reported: 2009-09-15 11:39 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-02 10:36:42 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-09-15 11:39:27 UTC
Multiple cross-site scripting (XSS) flaws were identified in Horde:
===================================================================

Flaw #1 - XSS in "number" type preferences:
-------------------------------------------

An improper input validation was found in the way Horde used to process
certain numerical values, provided as HTTP form fields in the preferences
user interface. A remote attacker could issue a specially-crafted HTTP
submit form request, leading to cross-site scripting (XSS).

References:
----------
http://bugs.horde.org/ticket/?id=8399
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://secunia.com/advisories/36665/2/
http://bugs.gentoo.org/show_bug.cgi?id=285052

Upstream patch:
---------------
http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz

CVE request:
------------
http://www.openwall.com/lists/oss-security/2009/09/15/4
http://www.openwall.com/lists/oss-security/2009/09/15/5

Affected Fedora Horde versions:
--------------------------------
This issue affects the versions of the Horde package, as shipped with Fedora
releases of 10 and 11, and as shipped within EPEL-5 project.

Comment 1 Jan Lieskovsky 2009-09-15 11:40:20 UTC
Flaw #2 - XSS in MIME rendering:
--------------------------------

An improper input validation was found in the way Horde used to render
certain MIME fields. A remote attacker could provide a specially-crafted
MIME field content, leading to cross-site scripting (XSS), once rendered
by a local, valid Horde user.

References:
-----------
http://bugs.horde.org/ticket/?id=8311
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://secunia.com/advisories/36665/2/
http://bugs.gentoo.org/show_bug.cgi?id=285052

Upstream patch:
---------------
http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz

CVE request:
------------
http://www.openwall.com/lists/oss-security/2009/09/15/4
http://www.openwall.com/lists/oss-security/2009/09/15/5  

Affected Fedora Horde versions:
-------------------------------
This issue affects the versions of the Horde package, as shipped with Fedora
releases of 10 and 11, and as shipped within EPEL-5 project.

Comment 2 Jan Lieskovsky 2009-09-17 08:20:30 UTC
Common Vulnerabilities and Exposures assigned an identifier  CVE-2009-3237 to
the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in Horde
Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware
1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition
1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to
inject arbitrary web script or HTML via the (1) crafted number
preferences that are not properly handled in the preference system
(services/prefs.php), as demonstrated by the sidebar_width parameter;
or (2) crafted unknown MIME "text parts" that are not properly handled
in the MIME viewer library (config/mime_drivers.php).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3237
http://marc.info/?l=horde-announce&m=125292088004087&w=2
http://marc.info/?l=horde-announce&m=125294558611682&w=2
http://marc.info/?l=horde-announce&m=125292314007049&w=2
http://marc.info/?l=horde-announce&m=125295852706029&w=2
http://marc.info/?l=horde-announce&m=125291625030436&w=2
http://marc.info/?l=horde-announce&m=125292339907481&w=2
http://bugs.horde.org/ticket/?id=8311
http://bugs.horde.org/ticket/?id=8399
http://www.osvdb.org/58108
http://www.osvdb.org/58109
http://secunia.com/advisories/36665
http://xforce.iss.net/xforce/xfdb/53202

Comment 3 Jan Lieskovsky 2009-09-17 08:22:22 UTC
*** Bug 523410 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2010-03-29 17:51:51 UTC
horde-3.3.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc11

Comment 6 Fedora Update System 2010-03-29 17:54:03 UTC
horde-3.3.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc12

Comment 7 Fedora Update System 2010-03-29 17:55:23 UTC
horde-3.3.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.fc13

Comment 8 Fedora Update System 2010-03-29 18:01:18 UTC
horde-3.3.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/horde-3.3.6-1.el5

Comment 9 Fedora Update System 2010-04-01 01:39:41 UTC
horde-3.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-04-01 01:49:59 UTC
horde-3.3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-04-01 17:20:06 UTC
horde-3.3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-04-01 21:04:44 UTC
horde-3.3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.