Bug#415117: [pkg-horde] Bug#415117: imp4: XSS vulnerability in search screen and thread view

2007-03-24 Thread Ola Lundqvist 
Thanks a lot! I'm building a package now.

Regards,

// Ola

On Thu, Mar 22, 2007 at 01:14:56PM +, Marcos Marado wrote:
 On Thursday 22 March 2007 13:07, Marcos Marado wrote:
   Ola Lundqvist [EMAIL PROTECTED] wrote:
  
   Interesting! Will you create a fix for this?
 
  I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working
  patch to fix the XSS vulnerability. I'm not really sure if I should submit
  a patch that would work against imp4_4.1.3-2 (in etch) or against
  imp4_4.1.3-3 (in sid)... Well, probably it will work against both. I'll
  send the patch after lunch.
 
 Here's the patch. It was created to be applied against imp4_4.1.3-2. Can I 
 help in anything else?
 
 -- 
 Marcos Marado
 Sonaecom IT


 ___
 pkg-horde-hackers mailing list
 [EMAIL PROTECTED]
 http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers

-- 
 - Ola Lundqvist ---
/  [EMAIL PROTECTED] Annebergsslingan 37  \
|  [EMAIL PROTECTED] 654 65 KARLSTAD  |
|  +46 (0)54-10 14 30  +46 (0)70-332 1551   |
|  http://opalsys.net/ UIN/icq: 4912500 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#415117: [pkg-horde] Bug#415117: imp4: XSS vulnerability in search screen and thread view

2007-03-22 Thread Marcos Marado 
 Ola Lundqvist [EMAIL PROTECTED] wrote:

 Interesting! Will you create a fix for this?

I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working patch 
to fix the XSS vulnerability. I'm not really sure if I should submit a patch 
that would work against imp4_4.1.3-2 (in etch) or against imp4_4.1.3-3 (in 
sid)... Well, probably it will work against both. I'll send the patch after 
lunch.

Best regards,
-- 
Marcos Marado
Sonaecom IT


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#415117: [pkg-horde] Bug#415117: imp4: XSS vulnerability in search screen and thread view

2007-03-22 Thread Marcos Marado 
On Thursday 22 March 2007 13:07, Marcos Marado wrote:
  Ola Lundqvist [EMAIL PROTECTED] wrote:
 
  Interesting! Will you create a fix for this?

 I took from the diff between imp-h3-4.1.4-rc1 and imp-h3-4.1.4 a working
 patch to fix the XSS vulnerability. I'm not really sure if I should submit
 a patch that would work against imp4_4.1.3-2 (in etch) or against
 imp4_4.1.3-3 (in sid)... Well, probably it will work against both. I'll
 send the patch after lunch.

Here's the patch. It was created to be applied against imp4_4.1.3-2. Can I 
help in anything else?

-- 
Marcos Marado
Sonaecom IT
diff -ru imp-h3-4.1.3/templates/search/fields.inc imp-h3-4.1.3-fixed/templates/search/fields.inc
--- imp-h3-4.1.3/templates/search/fields.inc	2006-01-01 07:02:09.0 +
+++ imp-h3-4.1.3-fixed/templates/search/fields.inc	2007-03-22 13:11:00.0 +
@@ -21,7 +21,7 @@
   ($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_BODY) ||
   ($imp_search_fields[$curr_field]['type'] == IMP_SEARCH_TEXT)): ?
  td class=item0 leftAlign
-  input type=text name=search_text[?php echo $i ?] size=40 ?php if (!empty($search['text'][$i])) echo 'value=' . $search['text'][$i] . ' '; ?/
+  input type=text name=search_text[?php echo $i ?] size=40 ?php if (!empty($search['text'][$i])) echo 'value=' . htmlspecialchars($search['text'][$i]) . ' '; ?/
   input type=checkbox name=search_text_not[?php echo $i ?] ?php if (!empty($search['text_not'][$i])) echo 'checked=checked '; ?/
 em?php echo _(Do NOT match) ?/em
  /td
diff -ru imp-h3-4.1.3/templates/search/header.inc imp-h3-4.1.3-fixed/templates/search/header.inc
--- imp-h3-4.1.3/templates/search/header.inc	2006-02-08 21:28:57.0 +
+++ imp-h3-4.1.3-fixed/templates/search/header.inc	2007-03-22 13:11:00.0 +
@@ -2,12 +2,12 @@
 input type=hidden name=actionID value=update_search /
 input type=hidden name=delete_field_id value= /
 ?php if ($edit_query_id): ?
-input type=hidden name=edit_query_id value=?php echo $edit_query_id ? /
+input type=hidden name=edit_query_id value=?php echo htmlspecialchars($edit_query_id) ? /
 ?php endif; ?
 ?php if (!empty($search['mbox'])): ?
-input type=hidden name=mbox value=?php echo $search['mbox'] ? /
+input type=hidden name=mbox value=?php echo htmlspecialchars($search['mbox']) ? /
 ?php elseif ($subscribe): ?
-input type=hidden name=show_subscribed_only value=?php echo $shown ? /
+input type=hidden name=show_subscribed_only value=?php echo htmlspecialchars($shown) ? /
 ?php endif; ?
 div align=center
 table border=0 cellspacing=0 cellpadding=2 width=100%
diff -ru imp-h3-4.1.3/templates/search/main.inc imp-h3-4.1.3-fixed/templates/search/main.inc
--- imp-h3-4.1.3/templates/search/main.inc	2006-02-15 01:29:27.0 +
+++ imp-h3-4.1.3-fixed/templates/search/main.inc	2007-03-22 13:11:00.0 +
@@ -77,7 +77,7 @@
  /tr
 
 ?php if (!empty($search['mbox'])): ?
- input id=preselected_folders type=hidden name=search_folders[] value=?php echo $search['mbox'] ? /
+ input id=preselected_folders type=hidden name=search_folders[] value=?php echo htmlspecialchars($search['mbox']) ? /
 ?php else: ?
  tr
   td class=smallheader leftAlign colspan=2?php echo _(Message folders) ?/td
@@ -126,7 +126,7 @@
 ?php endif; ?
 tr
  td class=item1 leftAlign nowrap=nowrap
-  em?php echo _(Virtual folder label) ?:/emnbsp;input type=text id=vfolder_label name=vfolder_label ?php if (!empty($search['vfolder_label'])) echo 'value=' . $search['vfolder_label'] . ' '; ?/
+  em?php echo _(Virtual folder label) ?:/emnbsp;input type=text id=vfolder_label name=vfolder_label ?php if (!empty($search['vfolder_label'])) echo 'value=' . htmlspecialchars($search['vfolder_label']) . ' '; ?/
  /td
 /tr
/table
diff -ru imp-h3-4.1.3/thread.php imp-h3-4.1.3-fixed/thread.php
--- imp-h3-4.1.3/thread.php	2006-02-21 07:32:36.0 +
+++ imp-h3-4.1.3-fixed/thread.php	2007-03-22 13:12:38.0 +
@@ -119,7 +119,7 @@
 $headers-buildAddressLinks('from', Horde::selfUrl(true), true, true);
 $curr_msg['date'] = $headers-getValue('date');
 $curr_msg['from'] = $headers-getValue('from');
-$subject_header = $headers-getValue('subject');
+		$subject_header = @htmlspecialchars($headers-getValue('subject'), ENT_COMPAT, NLS::getCharset());
 if ($mode == 'thread') {
 if (empty($subject)) {
 $subject = preg_replace('/^re:\s*/i', '', $subject_header);

Bug#415117: [pkg-horde] Bug#415117: imp4: XSS vulnerability in search screen and thread view

2007-03-16 Thread Ola Lundqvist 
Hi

Interesting! Will you create a fix for this?

Regards,

// Ola

On Fri, Mar 16, 2007 at 08:33:26AM +0100, Lionel Elie Mamane wrote:
 Package: imp4
 Version: 4.0.2-1
 Severity: grave
 Tags: security
 Justification: security hole when package used
 
 Upstream changelog of new version says:
 
 This (..) fixes two cross site scripting vulnerabilities.
 
 Major changes compared to the IMP H3 (4.1.4-RC1) version are:
 * Fixed XSS vulnerabilities in the search screen and thread view.
 
 Sarge may or may not be vulnerable, I haven't checked yet.x
 
 
 ___
 pkg-horde-hackers mailing list
 [EMAIL PROTECTED]
 http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers
 

-- 
 - Ola Lundqvist ---
/  [EMAIL PROTECTED] Annebergsslingan 37  \
|  [EMAIL PROTECTED] 654 65 KARLSTAD  |
|  +46 (0)54-10 14 30  +46 (0)70-332 1551   |
|  http://opalsys.net/ UIN/icq: 4912500 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]