<<< Date Index >>>     <<< Thread Index >>>

Re: Horde Webmail file inclusion proof of concept & patch.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Mar 8, 2008, at 1:22 PM, Ben Klang wrote:
The Horde team has investigated this report and found it to be reproducible, though not exactly as reported. The SQL example in the original post does prevent the themes from appearing but does not execute the file in question. It is unclear based on their limited information whether they are using a modified version of Horde or if there were other factors that lead to the behavior reported. However if a null byte can be inserted into the theme name (for instance when using the LDAP preference backend which stores preference values in Base64 encoding) it does become possible to cause a file to be included and executed.


I'm a bit behind in reading bugtraq but thought I'd throw this in: We had a similar situation sometime back with Maia Mailguard, and the null byte thing depends on the platform. It was reported on a BSD system I think, but our Linux systems would not reproduce it.

In any case, the data should be sanitized. :)

David Morton
Maia Mailguard http://www.maiamailguard.com
mortonda@xxxxxxxxx



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH48xpUy30ODPkzl0RAitiAJ9zWAh79nDx/zT2V5XkKiRufXYapwCgs2Wo
fSEL3bzwgymbhgDdfeRUz6Y=
=X5gF
-----END PGP SIGNATURE-----