Gentoo Linux
egroupware package

[CVE-2008-1502] XSS

Bug #212211 reported by William Grant
258
Affects Status Importance Assigned to Milestone
egroupware (Debian)
Fix Released
Unknown
egroupware (Gentoo Linux)
Fix Released
Low
egroupware (Ubuntu)
Fix Released
Undecided
William Grant
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Medium
Emanuele Gentili
Hardy
Fix Released
Undecided
William Grant

Bug Description

Binary package hint: egroupware

"The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in eGroupWare before 1.4.003 allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols."

CVE References

William Grant (wgrant)
Changed in egroupware:
assignee: nobody → fujitsu
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package egroupware - 1.2.107-2.dfsg-2ubuntu1

---------------
egroupware (1.2.107-2.dfsg-2ubuntu1) hardy; urgency=low

  * SECURITY UPDATE: cross-site scripting via crafted URL protocols.
    (LP: #212211)
    - debian/patches/CVE-2008-1502.dpatch: Properly sanitise protocols in
      URLs. Patch from upstream.
    - References:
      + CVE-2008-1502
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- William Grant <email address hidden> Sat, 05 Apr 2008 22:47:05 +1100

Changed in egroupware:
status: In Progress → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in egroupware:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in egroupware:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in egroupware:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in egroupware:
status: Confirmed → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in egroupware:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in egroupware:
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the gutsy debdiff! Can you post your testing for gutsy? Once that is done I can push these out.

Revision history for this message
Emanuele Gentili (emgent) wrote :

Simple XSS fix, tested on gutsy x86.

Applyed fix synced by upstream:
http://www.egroupware.org/viewvc/branches/1.4/phpgwapi/inc/class.kses.inc.php?r1=23625&r2=25110&pathrev=25110

more info avilable here:
http://www.egroupware.org/changelog
http://xforce.iss.net/xforce/xfdb/41435
http://www.securityfocus.com/bid/28424

Jamie Strandboge (jdstrand)
Changed in egroupware:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in egroupware:
status: New → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in egroupware (Gentoo Linux):
importance: Unknown → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in egroupware (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.