Re: Horde Webmail file inclusion proof of concept & patch.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mar 8, 2008, at 1:22 PM, Ben Klang wrote:
The Horde team has investigated this report and found it to be
reproducible, though not exactly as reported. The SQL example in
the original post does prevent the themes from appearing but does
not execute the file in question. It is unclear based on their
limited information whether they are using a modified version of
Horde or if there were other factors that lead to the behavior
reported. However if a null byte can be inserted into the theme
name (for instance when using the LDAP preference backend which
stores preference values in Base64 encoding) it does become possible
to cause a file to be included and executed.
I'm a bit behind in reading bugtraq but thought I'd throw this in: We
had a similar situation sometime back with Maia Mailguard, and the
null byte thing depends on the platform. It was reported on a BSD
system I think, but our Linux systems would not reproduce it.
In any case, the data should be sanitized. :)
David Morton
Maia Mailguard http://www.maiamailguard.com
mortonda@xxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFH48xpUy30ODPkzl0RAitiAJ9zWAh79nDx/zT2V5XkKiRufXYapwCgs2Wo
fSEL3bzwgymbhgDdfeRUz6Y=
=X5gF
-----END PGP SIGNATURE-----