Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Sep 2010 20:15:36 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Moritz Naumann <security@...itz-naumann.com>
Subject: CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper
 sanitization of 'subdir' URL parameter

Hello Steve, vendors,

   Moritz Naumann reported:
   [1] http://seclists.org/fulldisclosure/2010/Sep/82

a deficiency in the way Horde framework sanitized user-provided
'subdir' parameter, when composing final path to the image file.
A remote, unauthenticated user could use this flaw to conduct
cross-site scripting attacks (execute arbitrary HTML or scripting
code) by providing a specially-crafted URL to the running
Horde framework instance.

Upstream patch:
   [2] http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9

Sample public URL by Moritz to demonstrate the issue:
   [3] [path_to_horde]/util/icon_browser.php?subdir=<body onload="alert('XSS')">&app=horde

Could you allocate CVE id for this issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.