======================================================================== = CodeScan Advisory, codescan.com <advisories (at) codescan (dot) com [email concealed]> = = Unauthenticated Arbitrary File Read in Horde v3.09 and prior = = Vendor Website: = http://www.horde.org = = Affected Version: = Versions prior to and including v3.09 = = Researched By = Paul Craig <paul.craig (at) security-assessment (dot) com [email concealed]> = = Public disclosure on March 15th, 2006 ======================================================================== == Overview == CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the beta testing of CodeScan PHP, Horde v3.09 was selected as one of the test applications. This advisory is the result of research into the security of Horde, based on the report generated by the CodeScan tool. CodeScan Labs has also worked with the vendor of horde to ensure future versions of the product are secure. == Affected Versions == Although all versions of horde v3.09 and prior are vulnerable to this attack, many distrubitions of PHP are not vulnerable by default. This vulnerability was tested and exploited on a default Fedora Core 4 install, although several horde developers were unable to reproduce this vulnerability on Debian based servers. == Vulnerability Details == In the file /services/go.php, an insecure call is made to the readfile() function. This can be seen in the code below. -------------------------------------------------------------- $_GET['url'] = trim($_GET['url']); if (get_magic_quotes_gpc()) { $url = @parse_url(trim(stripslashes($_GET['url']))); } else { $url = @parse_url(trim($_GET['url'])); } if (empty($url) || empty($url['host'])) { exit; } if ((!empty($_SERVER['SERVER_NAME']) && $_SERVER['SERVER_NAME'] == $url['host']) || (!empty($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] == $url['host'])) { ......... // Pass through image content if requested. if (!empty($_GET['untrusted'])) { readfile($_GET['url']); exit; -------------------------------------------------------------- Calls to parse_url attempt to sanitise the input through the requirement of an http:// type string. Embedding a NULL character within the URL variable enables an attacker to control the variable passed to readfile() leading to the reading of any file on the file system with the privileges of the web server. == Solutions == CodeScan Labs has been in contact with Horde and a new version of the software has been released to address the discovered vulnerability. Users are advised to upgrade to version 3.1 ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz == Credit == Discovered and advised to Horde 4th March, 2006 by Paul Craig of Security-Assessment.com == About CodeScan Labs Ltd == CodeScan Labs is specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP and PHP(Beta) == About Security-Assessment.com == Security-Assessment.com is Australasia's only pure play security company, specialising in security audit, assurance and advice services. Assisting large and medium size Enterprises who require true independent measurement of their security compliance at all levels. e-mail protected and scanned by Bizo Email Filter - powered by Advascan