Re: Horde Webmail file inclusion proof of concept & patch.

The Horde Internet Messaging Program proof of concept security vulnerability 4 minutes control panels reports vulnerable team versions patch file released sent executed

Before I get into the technical details of this report, and the Horde  
Team's response, I want to take a minute to explain the perceived slow  
response by the Horde Team to this report.  This issue was released to  
Bugtraq before any notification was sent to the Horde team.  The  
notification sent to security@horde.org was received Thursday at  
nearly 10:30PM Eastern Time , a time after which most of our  
developers are no longer are active.  It was also sent 4 minutes after  
the Bugtraq email.  There was no bug filed on our website, no prior  
warning email, and no courtesy shown by HostGator to the Horde  
community.  The Horde Team does have established procedures for  
handling and coordinating security vulnerability reports and we are  
disappointed that HostGator was so hasty to report the vulnerability  
publicly before a proper fix could be prepared.  Those interested in  
learning more about Horde's security policy and the best way to report  
vulnerabilities to us should visit  
http://wiki.horde.org/SecurityManagement.

Quoting ppelanne@hostgator.com:

> Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.
>
> A severe security vulnerability affects any unix distribution  
> running version 3.1.6 of the Horde webmail client included in most  
> popular webhosting control panels. All previous versions are also  
> affected and it is believed although not yet proven that Horde  
> Groupware is also vulnerable.
>
The Horde team has investigated this report and found it to be  
reproducible, though not exactly as reported.  The SQL example in the  
original post does prevent the themes from appearing but does not  
execute the file in question.  It is unclear based on their limited  
information whether they are using a modified version of Horde or if  
there were other factors that lead to the behavior reported.  However  
if a null byte can be inserted into the theme name (for instance when  
using the LDAP preference backend which stores preference values in  
Base64 encoding) it does become possible to cause a file to be  
included and executed.

Based on our research it is true that Horde 3.1.6 does suffer a local  
file inclusion vulnerability which in certain configurations can also  
include an authenticated user-supplied file.  We have prepared a patch  
and a new release of Horde 3.1.7 to address this bug.  In the short  
term admins are encouraged to apply the patch at the URL below which  
mitigates the vulnerability:

http://cvs.horde.org/diff.php?r1=1.306&r2=1.307&f=framework/Horde/Horde/Registry.php

If there are any questions about our research, findings, or to report  
further problems with this patch, please see our security protocol  
page at http://wiki.horde.org/SecurityManagement or contact  
security@horde.org.

/BAK/
--
Ben Klang
Horde Project
bklang@horde.org
http://www.horde.org

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.