The upstream change is at $url. From http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0084.html <-- Horde Application Framework v3.3.8 and lower are subject to a cross site scripting (XSS) vulnerability. The icon_browser.php script fails to properly sanitize user supplied input to the 'subdir' URL parameter before printing it out as part of a HTML formatted error message. The following URL can be used as a proof of concept: > [path_to_horde]/util/icon_browser.php?subdir=<body onload="alert('XSS')">&app=horde Prior authentication is not required for exploitation. This vulnerability was reported to the Horde Project on 19.05.2010 and fixed by Michael M. Slusarz in the frameworks' GIT repository within a week: > http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 Hoping to see an upcoming fixed release (which did not take place) I have delayed publication - admittedly too much. Credits for this discovery: Moritz Naumann Naumann IT Security Consulting, Berlin, Germany http://moritz-naumann.com
Fixed in 3.3.9 as per http://lists.horde.org/archives/announce/2010/000557.html.
Arches, please test and mark stable: =www-apps/horde-3.3.9 Target keywords : "alpha amd64 hppa ppc sparc x86"
I tested the following things together on x86 with apache (dev-lang/php-5.2.14) and my dovecot imap server. I've seen no problems at all! :-) www-apps/horde-3.3.9 Bug #336319 www-apps/horde-imp-4.3.8 Bug #307759 www-apps/horde-dimp-1.1.5 Bug #307759 www-apps/horde-gollem-1.1.2 Bug #339168
Stable on alpha.
amd64 done
x86 stable, thanks Andreas
ppc done
sparc stable
Stable for HPPA.
Thanks, folks. GLSA Vote: No, XSS.
XSS in webapp -> closing noglsa.
