On Thursday 22 March 2007 13:07, Marcos Marado wrote: > > Ola Lundqvist <[EMAIL PROTECTED]> wrote: > > > > Interesting! Will you create a fix for this? > > I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working > patch to fix the XSS vulnerability. I'm not really sure if I should submit > a patch that would work against imp4_4.1.3-2 (in etch) or against > imp4_4.1.3-3 (in sid)... Well, probably it will work against both. I'll > send the patch after lunch.
Here's the patch. It was created to be applied against imp4_4.1.3-2. Can I help in anything else? -- Marcos Marado Sonaecom IT
diff -ru imp-h3-4.1.3/templates/search/fields.inc imp-h3-4.1.3-fixed/templates/search/fields.inc --- imp-h3-4.1.3/templates/search/fields.inc 2006-01-01 07:02:09.000000000 +0000 +++ imp-h3-4.1.3-fixed/templates/search/fields.inc 2007-03-22 13:11:00.000000000 +0000 @@ -21,7 +21,7 @@ ($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_BODY) || ($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_TEXT)): ?> <td class="item0 leftAlign"> - <input type="text" name="search_text[<?php echo $i ?>]" size="40" <?php if (!empty($search['text'][$i])) echo 'value="' . $search['text'][$i] . '" '; ?>/> + <input type="text" name="search_text[<?php echo $i ?>]" size="40" <?php if (!empty($search['text'][$i])) echo 'value="' . htmlspecialchars($search['text'][$i]) . '" '; ?>/> <input type="checkbox" name="search_text_not[<?php echo $i ?>]" <?php if (!empty($search['text_not'][$i])) echo 'checked="checked" '; ?>/> <em><?php echo _("Do NOT match") ?></em> </td> diff -ru imp-h3-4.1.3/templates/search/header.inc imp-h3-4.1.3-fixed/templates/search/header.inc --- imp-h3-4.1.3/templates/search/header.inc 2006-02-08 21:28:57.000000000 +0000 +++ imp-h3-4.1.3-fixed/templates/search/header.inc 2007-03-22 13:11:00.000000000 +0000 @@ -2,12 +2,12 @@ <input type="hidden" name="actionID" value="update_search" /> <input type="hidden" name="delete_field_id" value="" /> <?php if ($edit_query_id): ?> -<input type="hidden" name="edit_query_id" value="<?php echo $edit_query_id ?>" /> +<input type="hidden" name="edit_query_id" value="<?php echo htmlspecialchars($edit_query_id) ?>" /> <?php endif; ?> <?php if (!empty($search['mbox'])): ?> -<input type="hidden" name="mbox" value="<?php echo $search['mbox'] ?>" /> +<input type="hidden" name="mbox" value="<?php echo htmlspecialchars($search['mbox']) ?>" /> <?php elseif ($subscribe): ?> -<input type="hidden" name="show_subscribed_only" value="<?php echo $shown ?>" /> +<input type="hidden" name="show_subscribed_only" value="<?php echo htmlspecialchars($shown) ?>" /> <?php endif; ?> <div align="center"> <table border="0" cellspacing="0" cellpadding="2" width="100%"> diff -ru imp-h3-4.1.3/templates/search/main.inc imp-h3-4.1.3-fixed/templates/search/main.inc --- imp-h3-4.1.3/templates/search/main.inc 2006-02-15 01:29:27.000000000 +0000 +++ imp-h3-4.1.3-fixed/templates/search/main.inc 2007-03-22 13:11:00.000000000 +0000 @@ -77,7 +77,7 @@ </tr> <?php if (!empty($search['mbox'])): ?> - <input id="preselected_folders" type="hidden" name="search_folders[]" value="<?php echo $search['mbox'] ?>" /> + <input id="preselected_folders" type="hidden" name="search_folders[]" value="<?php echo htmlspecialchars($search['mbox']) ?>" /> <?php else: ?> <tr> <td class="smallheader leftAlign" colspan="2"><?php echo _("Message folders") ?></td> @@ -126,7 +126,7 @@ <?php endif; ?> <tr> <td class="item1 leftAlign" nowrap="nowrap"> - <em><?php echo _("Virtual folder label") ?>:</em> <input type="text" id="vfolder_label" name="vfolder_label" <?php if (!empty($search['vfolder_label'])) echo 'value="' . $search['vfolder_label'] . '" '; ?>/> + <em><?php echo _("Virtual folder label") ?>:</em> <input type="text" id="vfolder_label" name="vfolder_label" <?php if (!empty($search['vfolder_label'])) echo 'value="' . htmlspecialchars($search['vfolder_label']) . '" '; ?>/> </td> </tr> </table> diff -ru imp-h3-4.1.3/thread.php imp-h3-4.1.3-fixed/thread.php --- imp-h3-4.1.3/thread.php 2006-02-21 07:32:36.000000000 +0000 +++ imp-h3-4.1.3-fixed/thread.php 2007-03-22 13:12:38.000000000 +0000 @@ -119,7 +119,7 @@ $headers->buildAddressLinks('from', Horde::selfUrl(true), true, true); $curr_msg['date'] = $headers->getValue('date'); $curr_msg['from'] = $headers->getValue('from'); - $subject_header = $headers->getValue('subject'); + $subject_header = @htmlspecialchars($headers->getValue('subject'), ENT_COMPAT, NLS::getCharset()); if ($mode == 'thread') { if (empty($subject)) { $subject = preg_replace('/^re:\s*/i', '', $subject_header);