Re: Horde Webmail file inclusion proof of concept & patch.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Horde Webmail file inclusion proof of concept & patch.
From: Ben Klang <bklang@xxxxxxxxx>
Date: Sat, 08 Mar 2008 14:22:16 -0500
In-reply-to: <20080307032523.6992.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20080307032523.6992.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Internet Messaging Program (IMP) H3 (4.2-cvs)

Before I get into the technical details of this report, and the HordeTeam's response, I want to take a minute to explain the perceived slowresponse by the Horde Team to this report. This issue was released toBugtraq before any notification was sent to the Horde team. Thenotification sent to security@xxxxxxxxx was received Thursday atnearly 10:30PM Eastern Time , a time after which most of ourdevelopers are no longer are active. It was also sent 4 minutes afterthe Bugtraq email. There was no bug filed on our website, no priorwarning email, and no courtesy shown by HostGator to the Hordecommunity. The Horde Team does have established procedures forhandling and coordinating security vulnerability reports and we aredisappointed that HostGator was so hasty to report the vulnerabilitypublicly before a proper fix could be prepared. Those interested inlearning more about Horde's security policy and the best way to reportvulnerabilities to us should visithttp://wiki.horde.org/SecurityManagement.


Quoting ppelanne@xxxxxxxxxxxxx:

Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.
A severe security vulnerability affects any unix distributionrunning version 3.1.6 of the Horde webmail client included in mostpopular webhosting control panels. All previous versions are alsoaffected and it is believed although not yet proven that HordeGroupware is also vulnerable.

The Horde team has investigated this report and found it to bereproducible, though not exactly as reported. The SQL example in theoriginal post does prevent the themes from appearing but does notexecute the file in question. It is unclear based on their limitedinformation whether they are using a modified version of Horde or ifthere were other factors that lead to the behavior reported. Howeverif a null byte can be inserted into the theme name (for instance whenusing the LDAP preference backend which stores preference values inBase64 encoding) it does become possible to cause a file to beincluded and executed.

Based on our research it is true that Horde 3.1.6 does suffer a localfile inclusion vulnerability which in certain configurations can alsoinclude an authenticated user-supplied file. We have prepared a patchand a new release of Horde 3.1.7 to address this bug. In the shortterm admins are encouraged to apply the patch at the URL below whichmitigates the vulnerability:


http://cvs.horde.org/diff.php?r1=1.306&r2=1.307&f=framework/Horde/Horde/Registry.php

If there are any questions about our research, findings, or to reportfurther problems with this patch, please see our security protocolpage at http://wiki.horde.org/SecurityManagement or contactsecurity@xxxxxxxxxx


/BAK/
--
Ben Klang
Horde Project
bklang@xxxxxxxxx
http://www.horde.org

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Follow-Ups:
- Re: Horde Webmail file inclusion proof of concept & patch.
  - From: David Morton

References:
- Horde Webmail file inclusion proof of concept & patch.
  - From: ppelanne

Prev by Date: [ GLSA 200803-14 ] Ghostscript: Buffer overflow
Next by Date: F5 BIG-IP Web Management Console XSS
Previous by thread: Horde Webmail file inclusion proof of concept & patch.
Next by thread: Re: Horde Webmail file inclusion proof of concept & patch.
Index(es):
- Date
- Thread