Summary: | www-apps/horde potential XSS vulnerability. | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | yoswink | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://lists.horde.org/archives/announce/2005/000231.html | ||||||
Whiteboard: | B4 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-11-14 03:07:48 UTC
vapier; pease bump Horde to 2.2.9 and/or apply the following patch. Created attachment 72876 [details, diff]
horde-xss.patch
Patch extracted from 2.2.9 patchset
2.2.9 now in portage Arches please test and mark stable. sparc stable. Stable on ppc and hppa. I've marked 2.2.9 stable on alpha but please, vapier, give a look at the errors[1] test page give me when I was testing horde (leave them here to help others testers): 1. DB is not recent enough. This is a error related to some changes in API scheme handle by PEAR-DB[2]. 2. HTML_Common and HTML_Select PEAR modules seems to be need for some kind of support on horde. May be add them as rdepend via some USE flag could help to solve this. Thanks. [1] http://dev.gentoo.org/~yoswink/tmp/horde-PEAR-errors.png [2] http://lists.horde.org/archives/horde/Week-of-Mon-20050718/028387.html Yoswink: So, comment #7 isn't a show stopper or? If not, how to go about the test case on that, is there a page we can go to in order to give horde a test? Chris: IMHO, this isn't a show sttoper (or i would have never marked it stable), specially, if we are hadling a security bug. Just i want the maintainer, and the rest of tester, know that there are some details we should try to improve. What I've done to test horde is just follow the docs: cd /usr/share/doc/horde-2.2.9/ && gzip -d INSTALL && ${EDITOR} INSTALL and while running test.php page i found comment #7 errors. I officially give in: ================================================================= Notice: Only variable references should be returned by reference in /var/www/localhost/htdocs/horde/lib/Auth.php on line 80 Notice: Only variable references should be returned by reference in /var/www/localhost/htdocs/horde/lib/Prefs.php on line 144 ================================================================= I get that no matter what authentication scheme I use .. Yoswink: Looks like I need more details on how exactly you interpreted that doc, because I read it and I get that ^^. I'm hoping I did something drastically stupid and don't realize it. (In reply to comment #10) My always dear Chris: Welcome to the wonderful arch testing world. Good way to read the doc and trying to make a full install in order to test properly the package (cookie). I also got the same error message that you get. If you see an error, first thing you can make, is a quick search over internet and look into the doc (again) trying to find a FAQ or something like that. You know that you marking stable a little update (x.x.8 -> x.x.9 security release) to a package which was marked stable, so, usually, shouldn't exist important problems. After visit horde web page I found a wiki with a section called "Troubleshooting and Common Problems". Sounds good. First question there is: ---------------------------- "Only variables can be passed by reference" These messages appear after upgrading to PHP 4.4 or PHP 5.1. These PHP versions raise notices about reference usage that older version accepted happily. Only Horde 3.x and the H3 application versions will be fixed to not cause this messages, so either upgrade to the latest versions, or set your error reporting level in PHP to exclude E_NOTICE level messages. ---------------------------- So, imho, i can exclude these errors as the faq tell me. Also, realize that you are testing a Framework, so don't expect to see anything useful at first sight. If you wanna perform a deep testing, you can install any of horde-* packages we have in portage (I used turba) and see if, at least, it doesn't fail miserably. After all of this, please, remember we are here to fix a security bug, so we need to be a little more faster than usual and, most of times, trust in previous testing and working stable packages (is good to find bugzilla for open bugs). But, I prefer you spend more time testing than be the first in mark the package stable, so you are welcome to ask :). Kisses. stable on x86. same warnings here that yoswink mentioned This one is ready for GLSA decision. I tend to vote NO. Heh, I tend to vote yes, if for example it could be exploited through the webmail or somthing... Reverting my vote to YES. GLSA 200511-20 On gentoo-announce now. Sorry for the delay, confirmation email got caught as spam. |