SSD Advisory – Horde Groupware Files Application XSS

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Horde Groupware is a free, enterprise ready, browser based collaboration suite. Users can manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware bundles the separately available applications Kronolith, Turba, Nag Mnemo, Gollem, and Trean.
Vulnerability Details
A vulnerability in the way Horde Groupware handles directory contents allows an authenticated attacker to inject a XSS into directories and files and have others become victim to their code execution via the sharing option.

The first step to recreate the vulnerability is to create a file or folder under the Files Application option, and then select the ‘rename’ option:
horde_rename
Then instead of the regular filename, place something like:

<s>aaa</s>

Instead of the filename, then when you look at the folder you would see:
horde_aaa
Of course you could something more complicated and more dangerous than this such as:

"><script>alert(document.cookie)</script>

horde_xss
At this point the attack is local, only affecting the current user, to extend this to any user viewing the shared files and folders that Horde provides a user just needs to ‘Share’ it:
horde_share
Vendor Response
Horde has issued a patch [SECURITY] Horde Groupware Webmail Edition 5.2.10 (final) which addresses this vulnerability.