Web application abuses : Horde Groupware Webmail <= 5.2.22 RCE Vulnerability (Linux)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.142487

Kategorie: Web application abuses

Titel: Horde Groupware Webmail <= 5.2.22 RCE Vulnerability (Linux)

Zusammenfassung: Horde Groupware Webmail is prone to an authenticated remote code execution; vulnerability.

Beschreibung: Summary:
Horde Groupware Webmail is prone to an authenticated remote code execution
vulnerability.

Vulnerability Insight:
Horde/Form/Type.php contains a vulnerable class that handles image upload in
forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions
getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST
parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to
manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to
(for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/
destination folder is a good candidate to drop the backdoor because it is always writable in Horde
installations.

Affected Software/OS:
Horde Groupware Webmail version 5.2.22 and prior with Horde Form before version 2.0.19.

Solution:
Update the Horde Form subcomponent to version 2.0.19 or later.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-9858
Bugtraq: 20190624 [SECURITY] [DSA 4468-1] php-horde-form security update (Google Search)
https://seclists.org/bugtraq/2019/Jun/31
Debian Security Information: DSA-4468 (Google Search)
https://www.debian.org/security/2019/dsa-4468
http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html
https://ssd-disclosure.com/?p=3814&preview=true
https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html

Copyright Copyright (C) 2019 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.142487
Kategorie:	Web application abuses
Titel:	Horde Groupware Webmail <= 5.2.22 RCE Vulnerability (Linux)
Zusammenfassung:	Horde Groupware Webmail is prone to an authenticated remote code execution; vulnerability.
Beschreibung:	Summary: Horde Groupware Webmail is prone to an authenticated remote code execution vulnerability. Vulnerability Insight: Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. Affected Software/OS: Horde Groupware Webmail version 5.2.22 and prior with Horde Form before version 2.0.19. Solution: Update the Horde Form subcomponent to version 2.0.19 or later. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-9858 Bugtraq: 20190624 [SECURITY] [DSA 4468-1] php-horde-form security update (Google Search) https://seclists.org/bugtraq/2019/Jun/31 Debian Security Information: DSA-4468 (Google Search) https://www.debian.org/security/2019/dsa-4468 http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html https://ssd-disclosure.com/?p=3814&preview=true https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html
Copyright	Copyright (C) 2019 Greenbone Networks GmbH