n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.007 11-Sep-2008 ________________________________________________________________________ Vendor: Various Affected Products: Horde >= 3.1, <= 3.2.1 Popoon/Flux-CMS <= r22196 Secondary, affected versions: Cake-PHP <= 1.2.x.x_18.08.2008 (nightly) phpMyFAQ <= 2.5.0-dev (2008-08-18) deluxeBB <= 1.2 emucms <= 0.3 SimpleSite <= 1.6.4 RevokeBB <= 1.0RC11_normal TPLN <= 2.9 Logicoder <= r27 phour <= r106 MDPro <= 1.0821 noserub <= r784/0.6 and probably more Vulnerability: Cross-Site Scripting Filter Evasion in various frameworks / applications CVE: CVE-2008-3824 oCERT: oCERT-2008-012 Risk: MEDIUM ________________________________________________________________________ Vendor communication: 2008/07/25 Bug found and PoC preparation 2008/07/26 Vulnerability report submitted via oCert online-form 2008/08/05 oCert confirmed the submission. oCert starts the coordination of affected authors/vendors 2008/09/06 oCert informs all parties about the advisory release date 2008/09/11 n.runs AG releases this advisory in coordination with oCert ________________________________________________________________________ Overview: The Horde project relies on code similar to Popoon's externalinput.php to filter out potential XSS attacks on user-supplied input. Other projects are using the same code base. Therefore this vulnerability affects also the popular Cake-PHP framework. Hence, all users that rely on the externalinput sanitization functionality are affected by this vulnerability, as in addition to many other unrelated, open source projects. Description: The XSS filter fails to fully sanitize the user data. In particular, this filter fails to protect against a special character which Microsoft Internet Explorer and Mozilla Firefox is interpreting it as a valid space character. Impact: This circumstance allows to bypass the filter and to apply Cross-Site Scripting. Solution: For detailed information about the fixes, follow the link in the references section [1] of this document. ________________________________________________________________________ Credits: Bug found by Alexios Fakos of n.runs AG. Many thanks to Will Drewry of oCert team for the coordination and professional communication. ________________________________________________________________________ References: [1] http://www.ocert.org/advisories/ocert-2008-012.html This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php ________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/