There is a remote code execution bug in horde affecting all versions from
at least horde 3.1.x to 5.1.1.
This has been fixed in commit
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Also check changelog
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215
Can you please assign a CVE for this issue?
Thanks in advance.
PS: while I discovered this bug independently reviewing horde3 code, the
full credit should go to the horde maintainers as they discovered and fixed
it first on horde5.
framework/Util/lib/Horde/Variables.php
@@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
* Constructor.
*
* @param array $vars The list of form variables (if null, defaults
- * to PHP's $_REQUEST value).
+ * to PHP's $_REQUEST value). If '_formvars'
+ * exists, it must be a JSON encoded array that
+ * contains the list of allowed form variables.
* @param string $sanitize Sanitize the input variables?
*/
public function __construct($vars = array(), $sanitize = false)
@@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
}
if (isset($vars['_formvars'])) {
- $this->_expected = @unserialize($vars['_formvars']);
+ $this->_expected = @json_decode($vars['_formvars'], true);
unset($vars['_formvars']);
}
Regards
Pedro