On Sat, Jul 21, 2007 at 04:21:08PM +0200, Steffen Joeris wrote: > > A possible security hole has been discovered in horde3. > The CVE[0] text says: > > Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php > in Horde Framework before 3.1.4 RC1, when the login page contains > a language selection box, allows remote attackers to inject > arbitrary web script or HTML via the new_lang parameter to login.php. > > It states that all the versions in Debian are effected. Feel > free to downgrade the bug, if I am mistaken.
I was wrong here[*], because an attacker could also inject data in HTML code of all pages. Then we could imagine a lot of attacks, for example a fake login/password <form>... I am working on updated packages and warning security team. Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
