Re: Horde Webmail file inclusion proof of concept & patch.
Before I get into the technical details of this report, and the Horde
Team's response, I want to take a minute to explain the perceived slow
response by the Horde Team to this report. This issue was released to
Bugtraq before any notification was sent to the Horde team. The
notification sent to security@xxxxxxxxx was received Thursday at
nearly 10:30PM Eastern Time , a time after which most of our
developers are no longer are active. It was also sent 4 minutes after
the Bugtraq email. There was no bug filed on our website, no prior
warning email, and no courtesy shown by HostGator to the Horde
community. The Horde Team does have established procedures for
handling and coordinating security vulnerability reports and we are
disappointed that HostGator was so hasty to report the vulnerability
publicly before a proper fix could be prepared. Those interested in
learning more about Horde's security policy and the best way to report
vulnerabilities to us should visit
http://wiki.horde.org/SecurityManagement.
Quoting ppelanne@xxxxxxxxxxxxx:
Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.
A severe security vulnerability affects any unix distribution
running version 3.1.6 of the Horde webmail client included in most
popular webhosting control panels. All previous versions are also
affected and it is believed although not yet proven that Horde
Groupware is also vulnerable.
The Horde team has investigated this report and found it to be
reproducible, though not exactly as reported. The SQL example in the
original post does prevent the themes from appearing but does not
execute the file in question. It is unclear based on their limited
information whether they are using a modified version of Horde or if
there were other factors that lead to the behavior reported. However
if a null byte can be inserted into the theme name (for instance when
using the LDAP preference backend which stores preference values in
Base64 encoding) it does become possible to cause a file to be
included and executed.
Based on our research it is true that Horde 3.1.6 does suffer a local
file inclusion vulnerability which in certain configurations can also
include an authenticated user-supplied file. We have prepared a patch
and a new release of Horde 3.1.7 to address this bug. In the short
term admins are encouraged to apply the patch at the URL below which
mitigates the vulnerability:
http://cvs.horde.org/diff.php?r1=1.306&r2=1.307&f=framework/Horde/Horde/Registry.php
If there are any questions about our research, findings, or to report
further problems with this patch, please see our security protocol
page at http://wiki.horde.org/SecurityManagement or contact
security@xxxxxxxxxx
/BAK/
--
Ben Klang
Horde Project
bklang@xxxxxxxxx
http://www.horde.org
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.