Tickets :: [#6399] Unsanitized theme include vulnerability

6.0.0-alpha12

6/10/25

Summary	Unsanitized theme include vulnerability
Queue	Horde Base
Queue Version	HEAD
Type	Bug
State	Resolved
Priority	3. High
Owners	chuck (at) horde (dot) org
Requester	mikemoyer (at) inbox (dot) com
Created	03/07/2008 (6304 days ago)
Due
Updated	03/07/2008 (6304 days ago)
Assigned
Resolved	03/07/2008 (6304 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

03/07/2008 11:06:05 PM	Chuck Hagenbuch	Assigned to Chuck Hagenbuch

03/07/2008 11:05:51 PM	Chuck Hagenbuch	Comment #3 Version ⇒ HEAD Queue ⇒ Horde Base State ⇒ Resolved	Reply to this comment
This vulnerability does not exist in the FRAMEWORK_3 branch; the code in question was removed before 3.2-RC2. It is also not clear that even in Horde 3.1.6 and earlier it affects people who use the SQL preferences backend. It has been reproduced with LDAP preferences. It is fixed by Horde 3.1.7, which has been released.

03/07/2008 09:50:35 PM	Chuck Hagenbuch	Comment #2	Reply to this comment
That's because the vulnerability is bogus, the "fix" is wrong, and the people who "reported" it did not give us time (even a day) to respond, and have continued to ignore our response to them.

03/07/2008 09:39:59 PM	mikemoyer (at) inbox (dot) com	Comment #1 Priority ⇒ 3. High Type ⇒ Bug Summary ⇒ Unsanitized theme include vulnerability Queue ⇒ Horde Framework Packages State ⇒ Unconfirmed	Reply to this comment
Copy/paste from http://www.securityfocus.com/archive/1/489239: ------------------------- Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch. A severe security vulnerability affects any unix distribution running version 3.1.6 of the Horde webmail client included in most popular webhosting control panels. All previous versions are also affected and it is believed although not yet proven that Horde Groupware is also vulnerable. Details are as follows: David Collins and Patrick Pelanne along with the rest of the HostGator.com LLC support team discovered that Horde was not properly sanitizing POST variables for several options including it's themes. By maliciously modifying POST data sent to the client the attacker can modify the location of the theme variable and Horde will subsequently insert this information into it's database. By modifying this POST variable one can allow for directory traversal and file inclusion which can lead to full root privilege escalation. Proof of concept: Data injected through malicious tampering of POST data: mysql> select * from horde_prefs where pref_uid='bbarker (at) hostgator (dot) com [email concealed]' and pref_name='theme'; +-------------------------+------------+-----------+-------------------- ------------------------------------------------------------------------ --------------------------------+ \| pref_uid \| pref_scope \| pref_name \| pref_value \| +-------------------------+------------+-----------+-------------------- ------------------------------------------------------------------------ --------------------------------+ \| bbarker (at) hostgator (dot) com [email concealed] \| horde \| theme \| ../../../../../../../../../../../../../../../../../../tmp/.horde/imp/att achments/bbarker (at) hostgator (dot) com [email concealed]/1204804402/t.txt \| Shown above, the malicious POST variable was inserted into the database and now points to the malicious code denoted by t.txt A truncated strace shows the access and execution of the malicious code when the user enters the Horde webmail client: 31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2, st_mode=S_IFDIR\|0755, st_nlink=18, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_size=4096, s$ 31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001, st_mode=S_IFDIR\|0755, st_nlink=26, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_s$ 31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3), st_ino=18539, st_mode=S_IFDIR\|0711, st_nlink=37, st_uid=0, st_gid=10, st_blksize=4096, st_blocks=8$ 31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3), st_ino=85078, st_mode=S_IFDIR\|0755, st_nlink=21, st_uid=0, st_gid=0, st_blksize=4096, st_bloc$ 31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3), st_ino=85388, st_mode=S_IFDIR\|0755, st_nlink=21, st_uid=32002, st_gid=32004, st_blksize$ 31852 lstat64("/usr/local/cpanel/base/horde/config", {st_dev=makedev(3, 3), st_ino=115868, st_mode=S_IFDIR\|0755, st_nlink=2, st_uid=32002, st_gid=32004, st_$ 31852 lstat64("/usr/local/cpanel/base/horde/themes", {st_dev=makedev(3, 3), st_ino=86796, st_mode=S_IFDIR\|0755, st_nlink=28, st_uid=32002, st_gid=32004, st_$ 31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2, st_mode=S_IFDIR\|S_ISVTX\|0777, st_nlink=9, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=64, st_size=$ 31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609, st_mode=S_IFDIR\|0700, st_nlink=3, st_uid=32002, st_gid=32004, st_blksize=4096, st_blocks=2$ 31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1), st_ino=38610, st_mode=S_IFDIR\|0700, st_nlink=3, st_uid=32002, st_gid=32004, st_blksize=4096, st_bloc$ 31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1), st_ino=38611, st_mode=S_IFDIR\|0700, st_nlink=3, st_uid=32002, st_gid=32004, st_blksize=4$ 31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com [email concealed]", {st_dev=makedev(7, 1), st_ino=38612, st_mode=S_IFDIR\|0700, st_nlink=3, st_uid=32002, st$ 31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com [email concealed]/1204804402", {st_dev=makedev(7, 1), st_ino=38613, st_mode=S_IFDIR\|0700, st_nlink=2, st_ui$ 31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com [email concealed]/1204804402/t. txt", {st_dev=makedev(7, 1), st_ino=38614, st_mode=S_IFREG\|0600, st_nlink=1,$ 31852 open("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com [email concealed]/1204804402/t.txt ", O_RDONLY) = 4 We have also included a patch below for this vulnerability tested on Horde v2.105.4.8 2006/07/29 16:49:19 --- horde/lib/Horde/Prefs.php 2008-03-06 21:14:38.000000000 -0600 +++ horde/lib/Horde/Prefs.patched 2008-03-06 20:10:56.000000000 -0600 @@ -325,12 +325,23 @@ } return (isset($this->_prefs[$pref]['v'])) ? - ($convert ? + $this->_fixhole($pref,$convert ? $this->convertFromDriver($this->_prefs[$pref]['v'], $charset) : $this->_prefs[$pref]['v']) : null; } +function _fixhole($pref,$value) { + $sanitize = '/^[a-z0-9._-]+$/i'; + if (preg_match($sanitize, $value) && $pref == 'theme') { + return $value; + } elseif ($pref == 'theme') { + return "mozilla"; + } else { + return $value; + } +} + function __get($name) { return $this->getValue($name); -------------------------- Sorry because I know someone's probably already aware: but I didn't see any word on this after several hours on either the Horde site, in the bug database, or on the Horde mailing list archives