<<< Date Index >>>     <<< Thread Index >>>

Re: Horde Webmail file inclusion proof of concept & patch.



Before I get into the technical details of this report, and the Horde Team's response, I want to take a minute to explain the perceived slow response by the Horde Team to this report. This issue was released to Bugtraq before any notification was sent to the Horde team. The notification sent to security@xxxxxxxxx was received Thursday at nearly 10:30PM Eastern Time , a time after which most of our developers are no longer are active. It was also sent 4 minutes after the Bugtraq email. There was no bug filed on our website, no prior warning email, and no courtesy shown by HostGator to the Horde community. The Horde Team does have established procedures for handling and coordinating security vulnerability reports and we are disappointed that HostGator was so hasty to report the vulnerability publicly before a proper fix could be prepared. Those interested in learning more about Horde's security policy and the best way to report vulnerabilities to us should visit http://wiki.horde.org/SecurityManagement.

Quoting ppelanne@xxxxxxxxxxxxx:

Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.

A severe security vulnerability affects any unix distribution running version 3.1.6 of the Horde webmail client included in most popular webhosting control panels. All previous versions are also affected and it is believed although not yet proven that Horde Groupware is also vulnerable.

The Horde team has investigated this report and found it to be reproducible, though not exactly as reported. The SQL example in the original post does prevent the themes from appearing but does not execute the file in question. It is unclear based on their limited information whether they are using a modified version of Horde or if there were other factors that lead to the behavior reported. However if a null byte can be inserted into the theme name (for instance when using the LDAP preference backend which stores preference values in Base64 encoding) it does become possible to cause a file to be included and executed.

Based on our research it is true that Horde 3.1.6 does suffer a local file inclusion vulnerability which in certain configurations can also include an authenticated user-supplied file. We have prepared a patch and a new release of Horde 3.1.7 to address this bug. In the short term admins are encouraged to apply the patch at the URL below which mitigates the vulnerability:

http://cvs.horde.org/diff.php?r1=1.306&r2=1.307&f=framework/Horde/Horde/Registry.php

If there are any questions about our research, findings, or to report further problems with this patch, please see our security protocol page at http://wiki.horde.org/SecurityManagement or contact security@xxxxxxxxxx

/BAK/
--
Ben Klang
Horde Project
bklang@xxxxxxxxx
http://www.horde.org

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.