Hello, The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045). Affected versions are: - sarge version (3.0.4-4sarge4) - etch version (3.1.3-4) - tesing/unstable version (3.1.3-5)
Upstream patch is trivial (http://bugs.horde.org/ticket/?id=4816): 8<---------------------------------- - } elseif (!empty($lang)) { + } elseif (!empty($lang) && NLS::isValid($lang)) { 8<---------------------------------- I prepared fixed packages: - sarge version http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff - etch version http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff - unstable version http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff Note that I'm member of pkg-horde team but I'm not DD, then I am waiting my sponsor upload unstable package. If you want to test the vulnerability, you could go to: http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B (I can provide you vulnerable URL in private if you want) Information for the advisory: 8<---------------------------------- horde3 -- XSS vulnerability Date Reported: ?? Jul 2007 Affected Packages: horde3 Vulnerable: Yes Security database references: In Mitre's CVE dictionary: CVE-2007-1473 More information: It was discovered that the Horde web application framework has a cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter. The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5. For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1. For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1. We recommend that you upgrade your horde3 package. 8<---------------------------------- Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]