oCERT-2008-012 Horde, Popoon frameworks common input sanitization errors (XSS)
Description:
Two cross-site scripting (XSS) vulnerabilities were reported in Horde Framework. The first of which is that the Horde framework fails to properly sanitize the filename of MIME attachments on received emails. The second vulnerability has a wider impact.
Horde relies on code similar to Popoon's externalinput.php to filter out potential XSS attacks on user-supplied input. This filter, and the original, fail to fully sanitize user data. In particular, this filter fails to protect against '/'s acting as spaces in both Microsoft Internet Explorer and Mozilla Firefox.
For example, the following snippet, supplied by the reporter, is treated as valid by the browsers but safe by the filter: <body/onload=alert(/w00w00/)>
Patches have been made available for Horde:
* 3.1: Text_Filter.31.patch
* 3.2 - CVS HEAD: MIME.patch, Text_Filter.patch
A fixed version of externalinput.php is linked below as well.
Affected version:
Horde >= 3.2, <= 3.2.1 (both issues)
Horde >= 3.1, < 3.2 (XSS filter only)
externalinput.php from Popoon <= r22196.
(secondary affected versions)
Horde Groupware >= 1.0, <= 1.0.6 (XSS filter only)
Horde Groupware Webmail Edition >= 1.0, <= 1.0.7 (XSS filter only)
Horde Groupware >= 1.1, <= 1.1.2 (both issues)
Horde Groupware Webmail Edition >= 1.1, <= 1.1.2 (both issues)
Cake-PHP <= 1.2.0.7296 RC2
phpMyFaq <= 2.5.0-dev
deluxeBB <= 1.2
emuCMS <= 0.3
SimpleSite <= 1.6.4
RevokeBB <= 1.0RC11_normal
TPLN <= 2.9
Logicoder <= r27
phour <= r106
MDPro <= 1.0821
noserub <= r784, 0.6 [CakePHP user]
Fixed version:
externalinput.php (now clean.php) >= 200809010
Horde > 3.2.1
phpMyFaq >= 2.0.8, 2.5.0-dev (svn-20080911)
Credit: vulnerability report and proof of concepts received from Alexios Fakos <security [at] nruns [dot] com>.
CVE: CVE-2008-3823 (MIME attachment), CVE-2008-3824 (XSS filtering)
Timeline:2008-08-05: initial report and proof of concepts received
2008-08-18: affected software survey completed by oCERT
2008-08-18: externalinput.php/Popoon author contacted
2008-08-19: Horde author contacted
2008-08-19: initial patches for Horde and Popoon supplied by vendors
2008-08-19: reporter calls out additional possible vectors in externalinput.php
2008-08-20: secondary fixed for externalinput.php supplied
2008-08-20: attempted to contact CakePHP
2008-09-04: final Horde patches supplied
2008-09-04: potentially affected vendors notified
2008-08-05: CVEs assigned
2008-09-05: oCERT requests end of embargo to be Sep 10, 1700 UTC
2008-09-06: contacted phlymail lite, confirmed unaffected
2008-09-06: notified all secondary vendors above
2008-09-06: acknowledgement from cakephp, noserub, phpmyfaq
2008-09-09: confirmed exact embargo end with vendor-sec and other vendors
2008-09-10: advisory released
References:
http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html
http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html
n runs-SA-2008 006 Horde Cross-Site Scripting in filename MIME attachments
n runs-SA-2008 007 Cross-Site Scripting Filter Evasion in various frameworks