Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399563 (CVE-2012-0791) - www-apps/horde-imp Multiple XSS Vulnerabilities from Improperly Sanitized Input (CVE-2012-{0791,0909})
Summary: www-apps/horde-imp Multiple XSS Vulnerabilities from Improperly Sanitized Inp...
Status: RESOLVED FIXED
Alias: CVE-2012-0791
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/47580
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-20 22:58 UTC by Michael Harrison
Modified: 2016-05-30 04:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-01-20 22:58:44 UTC 
Multiple vulnerabilities have been reported in Horde IMP, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks.

1) Input passed via the 'composeCache', 'rtemode', and 'filename_*' parameters to the compose page and the 'formname' parameter to the contacts popup window is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain input via IMAP mailbox names is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

The vulnerabilities are reported in versions prior to 5.0.18.

Solution
Update to version 5.0.18.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://www.horde.org/apps/imp/docs/RELEASE_NOTES
http://www.horde.org/apps/imp/docs/CHANGES
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-21 14:02:50 UTC 
Alex/www-apps: Does this affect our IMP H3 packages or only IMP H4?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 22:06:11 UTC 
CVE-2012-0791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0791):
  Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before
  5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote
  attackers to inject arbitrary web script or HTML via the (1) composeCache,
  (2) rtemode, or (3) filename_* parameters to the compose page; (4) formname
  parameter to the contacts popup window; or (5) IMAP mailbox names.  NOTE:
  some of these details are obtained from third party information.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-27 17:26:10 UTC 
@maintainers: Any plans for bumping this package to a version not vulnerable?
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-02-29 14:19:59 UTC 
still no bump from maintainer(s). only dependency is www-apps/horde-dimp which has been integrated to >=horde-imp-5.0 upstream.  candidate for tree cleaning along with horde-dimp
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 00:00:03 UTC 
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016)
# Per security bug #399563 these packages are vulnerable
# and unmaintained.  Removal in 30 days.
www-apps/horde-imp
www-apps/horde-dimp
Comment 6 Patrice Clement gentoo-dev 2016-03-05 14:04:14 UTC 
Masking horde means masking its extensions as well, namely this list of packages:
monsieurp@epsilon ~/gentoo $ printf '%s\n' www-apps/horde*
www-apps/horde
www-apps/horde-chora
www-apps/horde-dimp
www-apps/horde-gollem
www-apps/horde-hermes
www-apps/horde-imp
www-apps/horde-ingo
www-apps/horde-jeta
www-apps/horde-kronolith
www-apps/horde-mimp
www-apps/horde-mnemo
www-apps/horde-nag
www-apps/horde-passwd
www-apps/horde-pear
www-apps/horde-turba
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 14:37:42 UTC 
www-apps/horde was not masked.  Two of the extensions were per previous mask message.