Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Tue, 20 Jan 2009 18:48:59 +0100
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: CVE request - horde XSS

Hi!

It looks like IE-specific XSS issue was fixed in horde 3.2.3 and 3.3.1
(and few other hodre-based products) was fixed back in Dec, that
probably should have CVE id:

Release announcements:
http://lists.horde.org/archives/announce/2008/000462.html (3.2.3)
http://lists.horde.org/archives/announce/2008/000464.html (3.3.1)

Patch:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413.2.1&r2=1.515.2.413.2.3&ty=h
http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18

Test cases:
http://cvs.horde.org/diff.php/framework/Text_Filter/tests/xss.phpt?r1=1.1.2.3&r2=1.1.2.4
http://cvs.horde.org/framework/Text_Filter/tests/xss100.html

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux