horde < 5.1.1 Remote code execution

2014.01.29
Credit: Pedro
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

There is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1. This has been fixed in commit https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 Also check changelog https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215 Can you please assign a CVE for this issue? Thanks in advance. PS: while I discovered this bug independently reviewing horde3 code, the full credit should go to the horde maintainers as they discovered and fixed it first on horde5. framework/Util/lib/Horde/Variables.php @@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false) * Constructor. * * @param array $vars The list of form variables (if null, defaults - * to PHP's $_REQUEST value). + * to PHP's $_REQUEST value). If '_formvars' + * exists, it must be a JSON encoded array that + * contains the list of allowed form variables. * @param string $sanitize Sanitize the input variables? */ public function __construct($vars = array(), $sanitize = false) @@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false) } if (isset($vars['_formvars'])) { - $this->_expected = @unserialize($vars['_formvars']); + $this->_expected = @json_decode($vars['_formvars'], true); unset($vars['_formvars']); } Regards Pedro

References:

https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top