Lucene search

HistoryMar 09, 2008 - 12:00 a.m.

Horde Webmail file inclusion proof of concept & patch.


Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept & patch.

A severe security vulnerability affects any unix distribution running version 3.1.6 of the Horde webmail client included
in most popular webhosting control panels. All previous versions are also affected and it is believed although not yet
proven that Horde Groupware is also vulnerable.

Details are as follows:

David Collins and Patrick Pelanne along with the rest of the LLC support team discovered that Horde was not
properly sanitizing POST variables for several options including it's themes. By maliciously modifying POST data sent to
the client the attacker can modify the location of the theme variable and Horde will subsequently insert this information
into it's database. By modifying this POST variable one can allow for directory traversal and file inclusion which can
lead to full root privilege escalation.

Proof of concept:

Data injected through malicious tampering of POST data:

mysql> select * from horde_prefs where pref_uid='[email protected]' and pref_name='theme';
| pref_uid | pref_scope | pref_name | pref_value
| [email protected] | horde | theme |
…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/tmp/.horde/imp/attachments/[email protected]/1204804402/t.txt |

Shown above, the malicious POST variable was inserted into the database and now points to the malicious code denoted by

A truncated strace shows the access and execution of the malicious code when the user enters the Horde webmail client:

31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2, st_mode=S_IFDIR|0755, st_nlink=18, st_uid=0, st_gid=0,
st_blksize=4096, st_blocks=16, st_size=4096, s$
31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001, st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0,
st_blksize=4096, st_blocks=16, st_s$
31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3), st_ino=18539, st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0,
st_gid=10, st_blksize=4096, st_blocks=8$
31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3), st_ino=85078, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0,
st_gid=0, st_blksize=4096, st_bloc$
31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3), st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21,
st_uid=32002, st_gid=32004, st_blksize$
31852 lstat64("/usr/local/cpanel/base/horde/config", {st_dev=makedev(3, 3), st_ino=115868, st_mode=S_IFDIR|0755,
st_nlink=2, st_uid=32002, st_gid=32004, st_$
31852 lstat64("/usr/local/cpanel/base/horde/themes", {st_dev=makedev(3, 3), st_ino=86796, st_mode=S_IFDIR|0755,
st_nlink=28, st_uid=32002, st_gid=32004, st_$
31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2, st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0,
st_blksize=4096, st_blocks=64, st_size=$
31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,
st_gid=32004, st_blksize=4096, st_blocks=2$
31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1), st_ino=38610, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002,
st_gid=32004, st_blksize=4096, st_bloc$
31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1), st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3,
st_uid=32002, st_gid=32004, st_blksize=4$
31852 lstat64("/tmp/.horde/imp/attachments/[email protected]", {st_dev=makedev(7, 1), st_ino=38612,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st$
31852 lstat64("/tmp/.horde/imp/attachments/[email protected]/1204804402", {st_dev=makedev(7, 1), st_ino=38613,
st_mode=S_IFDIR|0700, st_nlink=2, st_ui$
31852 lstat64("/tmp/.horde/imp/attachments/[email protected]/1204804402/t.txt", {st_dev=makedev(7, 1), st_ino=38614,
st_mode=S_IFREG|0600, st_nlink=1,$
31852 open("/tmp/.horde/imp/attachments/[email protected]/1204804402/t.txt", O_RDONLY) = 4

We have also included a patch below for this vulnerability tested on Horde v2.105.4.8 2006/07/29 16:49:19

— horde/lib/Horde/Prefs.php 2008-03-06 21:14:38.000000000 -0600
+++ horde/lib/Horde/Prefs.patched 2008-03-06 20:10:56.000000000 -0600
@@ -325,12 +325,23 @@

     return (isset($this->_prefs[$pref]['v'])) ?
  •        ($convert ?
  •        $this->_fixhole($pref,$convert ?
            $this->convertFromDriver($this->_prefs[$pref]['v'], $charset) :
            $this->_prefs[$pref]['v']) :

+function _fixhole($pref,$value) {

  •  $sanitize = '/^[a-z0-9._-]+$/i';
  •  if (preg_match($sanitize, $value) && $pref == 'theme') {
  •          return $value;
  •  } elseif ($pref == 'theme') {
  •            return "mozilla";
  •  } else {
  •            return $value;
  •  }

function __get($name)
return $this->getValue($name);

– Begin Signature – is looking for qualified systems administrators. Please send an e-mail to [email protected] with your