There is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1. This has been fixed in commit https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 Also check changelog https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215 Can you please assign a CVE for this issue? Thanks in advance. PS: while I discovered this bug independently reviewing horde3 code, the full credit should go to the horde maintainers as they discovered and fixed it first on horde5. framework/Util/lib/Horde/Variables.php @@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false) * Constructor. * * @param array $vars The list of form variables (if null, defaults - * to PHP's $_REQUEST value). + * to PHP's $_REQUEST value). If '_formvars' + * exists, it must be a JSON encoded array that + * contains the list of allowed form variables. * @param string $sanitize Sanitize the input variables? */ public function __construct($vars = array(), $sanitize = false) @@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false) } if (isset($vars['_formvars'])) { - $this->_expected = @unserialize($vars['_formvars']); + $this->_expected = @json_decode($vars['_formvars'], true); unset($vars['_formvars']); } Regards Pedro