#2008-012 Horde, Popoon frameworks common input sanitization errors (XSS) Two cross-site scripting (XSS) vulnerabilities were reported in Horde Framework. The first of which is that the Horde framework fails to properly sanitize the filename of MIME attachments on received emails. The second vulnerability has a wider impact. Horde relies on code similar to Popoon's externalinput.php to filter out potential XSS attacks on user-supplied input. This filter, and the original, fail to fully sanitize user data. In particular, this filter fails to protect against '/'s acting as spaces in both Microsoft Internet Explorer and Mozilla Firefox. Patches have been made available for Horde: * 3.1: http://ocert.org/patches/2008-012/Text_Filter.31.patch * 3.2 - CVS HEAD: http://ocert.org/patches/2008-012/MIME.patch http://ocert.org/patches/2008-012/Text_Filter.patch A replacement for externalinput.php is linked below as well. Affected version: Popoon (externalinput.php) <= r22196 Horde >= 3.2, <= 3.2.1 (both issues) Horde >= 3.1, < 3.2 (XSS filter only) (secondary affected versions) Horde Groupware >= 1.0, <= 1.0.6 (XSS filter only) Horde Groupware Webmail Edition >= 1.0, <= 1.0.7 (XSS filter only) Horde Groupware >= 1.1, <= 1.1.2 (both issues) Horde Groupware Webmail Edition >= 1.1, <= 1.1.2 (both issues) Cake-PHP <= 1.2.0.7296 RC2 phpMyFAQ <= 2.5.0-dev (2008-08-18) deluxeBB <= 1.2 emucms <= 0.3 SimpleSite <= 1.6.4 RevokeBB <= 1.0RC11_normal TPLN <= 2.9 Logicoder <= r27 phour <= r106 MDPro <= 1.0821 noserub <= r784/0.6 Fixed version: Horde > 3.2.1 (see patches) externalinput/clean.php (see links) Credit: Vulnerability report and proof of concepts received from Alexios Fakos <security [at] nruns [dot] com>. CVE: CVE-2008-3823 (MIME attachment), CVE-2008-3824 (XSS filtering) Timeline: 2008-08-05: initial report and proof of concepts received. 2008-08-18: affected software survey completed by oCERT. 2008-08-18: externalinput.php/Popoon author contacted. 2008-08-19: Horde author contacted. 2008-08-19: initial patches for Horde and Popoon supplied by vendors. 2008-08-19: reporter calls out additional possible vectors in externalinput.php. 2008-08-20: secondary fixed for externalinput.php supplied. 2008-08-20: attempted to contact CakePHP. 2008-09-04: final Horde patches supplied. 2008-09-04: potentially affected oCERT members and vendor-sec notified. 2008-08-05: CVEs assigned. 2008-09-05: oCERT requests end of embargo to be Sep 10, 1700 UTC. 2008-09-06: contacted phlymail lite; confirmed unaffected. 2008-09-06: notified all secondary vendors above. 2008-09-06: acknowledgement from cakephp, noserub, phpmyfaq. 2008-09-09: confirmed exact embargo end with vendor-sec and other vendors. 2008-09-10: advisory released. References: http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable -xss-attacks.html Links: http://horde.org http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.ph p https://svn.liip.ch/repos/public/ext/externalinput/trunk/lx/externalinpu t/clean.php http://horde.org/groupware http://www.cakephp.org http://www.phpmyfaq.de http://www.deluxebb.com http://www.emusoft.org/index.php?page=category&cat_id=14 http://dev.mistralys.com/SimpleSite http://sourceforge.net/projects/revokebb http://tpln.h2lsoft.com/ http://code.google.com/p/logicoder/ http://code.google.com/p/phour/ http://www.maxdev.com/AboutMD.phtml http://code.google.com/p/noserub/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3824 Permalink: http://www.ocert.org.org/advisories/ocert-2008-012.html -- Will Drewry <redpig (at) ocert (dot) org [email concealed]> oCERT Team :: http://ocert.org