oss-sec mailing list archives

CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 06 Sep 2010 20:15:36 +0200

Hello Steve, vendors,

  Moritz Naumann reported:
  [1] http://seclists.org/fulldisclosure/2010/Sep/82

a deficiency in the way Horde framework sanitized user-provided
'subdir' parameter, when composing final path to the image file.
A remote, unauthenticated user could use this flaw to conduct
cross-site scripting attacks (execute arbitrary HTML or scripting
code) by providing a specially-crafted URL to the running
Horde framework instance.

Upstream patch:
  [2] 
http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9

Sample public URL by Moritz to demonstrate the issue:
  [3] [path_to_horde]/util/icon_browser.php?subdir=<body onload="alert('XSS')">&app=horde

Could you allocate CVE id for this issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter Jan Lieskovsky (Sep 06)
- Re: CVE Request -- Horde v3.3.8 -- XSS in icon_browser.php due improper sanitization of 'subdir' URL parameter Josh Bressers (Sep 07)