Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 297306 - <www-apps/horde-3.3.6 XSS (CVE-2009-3701)
Summary: <www-apps/horde-3.3.6 XSS (CVE-2009-3701)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/37709/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-17 17:33 UTC by Alex Legler (RETIRED)
Modified: 2010-08-11 20:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-17 17:33:26 UTC 
From Secunia ($URL):
A vulnerability has been reported in Horde Application Framework, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain unspecified input passed to the administration interface is not properly sanitised before being returned. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Update to version 3.3.6 or apply patch.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-17 17:38:01 UTC 
Arches, please test and mark stable:
=www-apps/horde-3.3.6
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-17 21:00:50 UTC 
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-19 16:36:40 UTC 
Stable for HPPA.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-21 09:59:02 UTC 
amd64 done.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2009-12-21 14:34:57 UTC 
alpha/sparc stable
Comment 6 nixnut (RETIRED) gentoo-dev 2009-12-28 18:54:01 UTC 
ppc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:41:17 UTC 
CVE-2009-3701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3701):
  Multiple cross-site scripting (XSS) vulnerabilities in the
  administration interface in Horde Application Framework before 3.3.6,
  Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition
  before 1.2.5 allow remote attackers to inject arbitrary web script or
  HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3)
  sqlshell.php in admin/, related to the PHP_SELF variable.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-11 20:39:22 UTC 
XSS → noglsa