n runs-SA-2008 007 Cross-Site Scripting Filter Evasion in various frameworks

Vendor: Various
Affected Products:
   - Horde >= 3.1, <= 3.2.1
   - Popoon/Flux-CMS <= r22196
   Secondary, affected versions:
   - Cake-PHP <= 1.2.x.x_18.08.2008 (nightly)
   - phpMyFAQ <= 2.5.0-dev (2008-08-18)
   - deluxeBB <= 1.2
   - emucms <= 0.3
   - SimpleSite <= 1.6.4
   - RevokeBB <= 1.0RC11_normal
   - TPLN <= 2.9
   - Logicoder <= r27
   - phour <= r106
   - MDPro <= 1.0821
   - noserub <= r784/0.6
   - and probably more

Vulnerability: Cross-Site Scripting Filter Evasion in various
Risk: MEDIUM

  2008/07/25    Bug found and PoC preparation
  2008/07/26    Vulnerability report submitted via oCert online-form 
  2008/08/05    oCert confirmed the submission. oCert starts the 
                           coordination of affected authors/vendors  
  2008/09/06    oCert informs all parties about the advisory release date
  2008/09/11    n.runs AG releases this advisory in coordination with oCert
    

Overview:

The Horde project relies on code similar to Popoon's externalinput.php to filter out potential XSS attacks on user-supplied input. Other projects are using the same code base. Therefore this vulnerability affects also the popular Cake-PHP framework. Hence, all users that rely on the externalinput sanitization functionality are affected by this vulnerability, as in addition to many other unrelated, open source projects.

Description:

The XSS filter fails to fully sanitize the user data. In particular, this filter fails to protect against a special character which Microsoft Internet Explorer and Mozilla Firefox is interpreting it as a valid space character.