oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter

From: Josh Bressers <bressers () redhat com>
Date: Tue, 7 Sep 2010 15:32:28 -0400 (EDT)
Please use CVE-2010-3077

Thanks.

-- 
    JB


----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:


Hello Steve, vendors,

   Moritz Naumann reported:
   [1] http://seclists.org/fulldisclosure/2010/Sep/82

a deficiency in the way Horde framework sanitized user-provided
'subdir' parameter, when composing final path to the image file.
A remote, unauthenticated user could use this flaw to conduct
cross-site scripting attacks (execute arbitrary HTML or scripting
code) by providing a specially-crafted URL to the running
Horde framework instance.

Upstream patch:
   [2]
http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9

Sample public URL by Moritz to demonstrate the issue:
   [3] [path_to_horde]/util/icon_browser.php?subdir=<body
onload="alert('XSS')">&app=horde

Could you allocate CVE id for this issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: