Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112491 - www-apps/horde potential XSS vulnerability.
Summary: www-apps/horde potential XSS vulnerability.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://lists.horde.org/archives/annou...
Whiteboard: B4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-14 03:07 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-07-03 12:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
horde-xss.patch (horde-xss.patch,544 bytes, patch)
2005-11-14 08:06 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 03:07:48 UTC
Changes in this release: 
    * Fixed a potential XSS vulnerability.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-11-14 08:05:52 UTC
vapier; pease bump Horde to 2.2.9 and/or apply the following patch.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-11-14 08:06:20 UTC
Created attachment 72876 [details, diff]
horde-xss.patch

Patch extracted from 2.2.9 patchset
Comment 3 SpanKY gentoo-dev 2005-11-14 16:30:36 UTC
2.2.9 now in portage
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 22:38:55 UTC
Arches please test and mark stable. 
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-15 09:54:01 UTC
sparc stable.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-15 13:14:28 UTC
Stable on ppc and hppa.
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-15 16:25:22 UTC
I've marked 2.2.9 stable on alpha but please, vapier, give a look at the
errors[1] test page give me when I was testing horde (leave them here to help
others testers):

1. DB is not recent enough.
This is a error related to some changes in API scheme handle by PEAR-DB[2]. 

2. HTML_Common and HTML_Select PEAR modules seems to be need for some kind of
support on horde. May be add them as rdepend via some USE flag could help to
solve this.

Thanks.

[1] http://dev.gentoo.org/~yoswink/tmp/horde-PEAR-errors.png
[2] http://lists.horde.org/archives/horde/Week-of-Mon-20050718/028387.html
Comment 8 Chris White (RETIRED) gentoo-dev 2005-11-15 22:06:55 UTC
Yoswink: 
 
   So, comment #7 isn't a show stopper or?  If not, how to go about the test 
case on that, is there a page we can go to in order to give horde a test? 
Comment 9 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-16 03:00:29 UTC
Chris:

IMHO, this isn't a show sttoper (or i would have never marked it stable),
specially, if we are hadling a security bug. Just i want the maintainer, and the
rest of tester, know that there are some details we should try to improve.

What I've done to test horde is just follow the docs:
cd /usr/share/doc/horde-2.2.9/ && gzip -d INSTALL && ${EDITOR} INSTALL

and while running test.php page i found comment #7 errors.
Comment 10 Chris White (RETIRED) gentoo-dev 2005-11-17 01:41:34 UTC
I officially give in: 
 
================================================================= 
Notice: Only variable references should be returned by reference 
in /var/www/localhost/htdocs/horde/lib/Auth.php on line 80 
  
 Notice: Only variable references should be returned by reference 
in /var/www/localhost/htdocs/horde/lib/Prefs.php on line 144 
================================================================= 
 
I get that no matter what authentication scheme I use .. Yoswink: Looks like I 
need more details on how exactly you interpreted that doc, because I read it 
and I get that ^^.  I'm hoping I did something drastically stupid and don't 
realize it. 
Comment 11 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-17 05:18:27 UTC
(In reply to comment #10)

My always dear Chris:

Welcome to the wonderful arch testing world. 

Good way to read the doc and trying to make a full install in order to test
properly the package (cookie). I also got the same error message that you get. 

If you see an error, first thing you can make, is a quick search over internet
and look into the doc (again) trying to find a FAQ or something like that. You
know that you marking stable a little update (x.x.8 -> x.x.9 security release)
to a package which was marked stable, so, usually, shouldn't exist important
problems. 

After visit horde web page I found a wiki with a section called "Troubleshooting
and Common Problems". Sounds good. First question there is:

----------------------------
"Only variables can be passed by reference"

These messages appear after upgrading to PHP 4.4 or PHP 5.1. These PHP versions
raise notices about reference usage that older version accepted happily. Only
Horde 3.x and the H3 application versions will be fixed to not cause this
messages, so either upgrade to the latest versions, or set your error reporting
level in PHP to exclude E_NOTICE level messages.
----------------------------

So, imho, i can exclude these errors as the faq tell me.

Also, realize that you are testing a Framework, so don't expect to see anything
useful at first sight. 

If you wanna perform a deep testing, you can install any of horde-* packages we
have in portage (I used turba) and see if, at least, it doesn't fail miserably.

After all of this, please, remember we are here to fix a security bug, so we
need to be a little more faster than usual and, most of times, trust in previous
testing and working stable packages (is good to find bugzilla for open bugs).
But, I prefer you spend more time testing than be the first in mark the package
stable, so you are welcome to ask :).

Kisses.
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2005-11-18 15:41:26 UTC
stable on x86.  same warnings here that yoswink mentioned
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-19 07:48:32 UTC
This one is ready for GLSA decision. I tend to vote NO. 
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-11-19 08:48:54 UTC
Heh, I tend to vote yes, if for example it could be exploited through the
webmail or somthing...
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-20 10:32:36 UTC
Reverting my vote to YES.  
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-23 00:39:46 UTC
GLSA 200511-20 
 
On gentoo-announce now. Sorry for the delay, confirmation email got caught as 
spam.