Horde Gollem 3.0.12, as used in Horde Groupware Webmail Edition 5.2.22, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET
dir parameter in the browser functionality. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.
Gollem is a web-based file manager, providing the ability to fully manage a hierarchical file system stored in a variety of backends such as a SQL database, as part of a real filesystem, or on FTP, Samba or SSH servers. For more information on Gollem, visit http://www.horde.org/apps/gollem.
dir parameter in page
gollem/manager.php is used to define the folder Gollem should open in the page for the user. Such page uses
Gollem::directoryNavLink to create a dynamic URL to the parent folder on line 285:
The parents' names of the current folder are correctly encoded, but not the last one, as we can see in line 696:
By using a malicious current folder name it is possible to write arbitrary HTML code in the webpage.
An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an URL which triggers the XSS vulnerability.
The folder name is now correctly encoded regardless of its position in the path. Upgrade to Horde Gollem 3.0.13.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
20 April 2020