Moritz Naumann reported: [1] http://seclists.org/fulldisclosure/2010/Sep/82 a deficiency in the way Horde framework sanitized user-provided 'subdir' parameter, when composing final path to the image file. A remote, unauthenticated user could use this flaw to conduct cross-site scripting attacks (execute arbitrary HTML or scripting code) by providing a specially-crafted URL to the running Horde framework instance. Upstream patch: [2] http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 Sample public URL by Moritz to demonstrate the issue: [3] [path_to_horde]/util/icon_browser.php?subdir=<body onload="alert('XSS')">&app=horde
This issue affects the versions of the horde package, as shipped with Fedora release of 12 and 13. (the relevant row is slightly different in Fedora Horde versions: if (($subdir = basename(Util::getFormData('subdir')))) { ), but the XSS is possible (verified on both versions). Please fix.
CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/09/06/2
Created horde tracking bugs for this issue Affects: fedora-all [bug 630689]
The CVE identifier of CVE-2010-3077 has been assigned to this issue.
Upstream has released a new version of Horde (3.3.9) [1] that corrects the following flaws: * Fixed XSS vulnerability in util/icon_browser.php (CVE-2010-3077) * Protected preference forms against CSRF attacks (CVE-2010-3694) The current version of Horde in Fedora is 3.3.8 and is vulnerable to these flaws. [1] http://lists.horde.org/archives/announce/2010/000557.html (Adding CVE-2010-3694 to this bug as CVE-2010-3077 has not yet been fixed)