oss-sec mailing list archives
Re: CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter
From: Josh Bressers <bressers () redhat com>
Date: Tue, 7 Sep 2010 15:32:28 -0400 (EDT)
Please use CVE-2010-3077 Thanks. -- JB ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Hello Steve, vendors, Moritz Naumann reported: [1] http://seclists.org/fulldisclosure/2010/Sep/82 a deficiency in the way Horde framework sanitized user-provided 'subdir' parameter, when composing final path to the image file. A remote, unauthenticated user could use this flaw to conduct cross-site scripting attacks (execute arbitrary HTML or scripting code) by providing a specially-crafted URL to the running Horde framework instance. Upstream patch: [2] http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 Sample public URL by Moritz to demonstrate the issue: [3] [path_to_horde]/util/icon_browser.php?subdir=<body onload="alert('XSS')">&app=horde Could you allocate CVE id for this issue? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter Jan Lieskovsky (Sep 06)
- Re: CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter Josh Bressers (Sep 07)