Horde Gollem 3.0.12, as used in Horde Groupware Webmail Edition 5.2.22, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir
parameter in the browser functionality. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.
Gollem is a web-based file manager, providing the ability to fully manage a hierarchical file system stored in a variety of backends such as a SQL database, as part of a real filesystem, or on FTP, Samba or SSH servers. For more information on Gollem, visit http://www.horde.org/apps/gollem.
The dir
parameter in page gollem/manager.php
is used to define the folder Gollem should open in the page for the user. Such page uses Gollem::directoryNavLink
to create a dynamic URL to the parent folder on line 285:
|
|
The parents’ names of the current folder are correctly encoded, but not the last one, as we can see in line 696:
|
|
By using a malicious current folder name it is possible to write arbitrary HTML code in the webpage.
[webmail hostname/IP]/gollem/manager.php?dir=%3Cimg%20src=1%20onerror=alert%28document.domain%29%3E
alert(document.domain)
An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an URL which triggers the XSS vulnerability.
The folder name is now correctly encoded regardless of its position in the path. Upgrade to Horde Gollem 3.0.13.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/horde-gollem-reflected-cross-site-scripting-xss/
Data
20 aprile 2020