[horde] another security issue discovered in Horde ref. CVE-2022-30287

Wed Jun 15 08:13:40 UTC 2022

Am 14.06.22 um 19:55 schrieb Jos van der Woude:
>  I can confrim that I also use virtual address books: in fact I have 
> five searches saved as five separate virtual address books.
> None of these are the default address book however.
>
> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>
>> Quoting Jens Wahnes <wahnes at uni-koeln.de>:
>>
>>> Michael J Rubinsky wrote:
>>>> 4.2.28 should fix the remaining regressions.
>>>
>>> Fortunately, I got some help from other Horde users. Together, we 
>>> could narrow down the remaining issue with Turba 4.2.28 that I 
>>> mentioned earlier.
>>>
>>> The problem is with virtual address books. If one decides to save an 
>>> addressbook search as a virtual address book, the issue of "$config 
>>> must be an array" will come up as soon as one clicks on "Address 
>>> Book" in dynamic mode.
>>>
>>> Things get worse if such a virtual address book has previously been 
>>> set as the default address book. With such a configuration setting, 
>>> the trouble of e-mails not being displayed in Imp turns up 
>>> frequently. So in dynamic view, a single click on a message may not 
>>> refresh the message display (at least not always), and a double 
>>> click will open a new window reading "$config must be an array". Or 
>>> sometimes it will not open a new window at all. Yet other messages 
>>> may still open fine. It is very confusing.
>>>
>>> Using a virtual addressbook at all, and then using it as the default 
>>> addressbook is not a very common combination, which is probably why 
>>> it affects only a fraction of our users. So it has been hard to 
>>> really reproduce this, but now I've got a good example going and 
>>> would be able to provide debug output if that helps to find and fix 
>>> the issue.
>>>
>>> I tried to look into it myself, but could not find the exact cause. 
>>> In the "turba/lib/Driver/Vbook.php" file in the __construct method 
>>> (around line 50), I could see that $params['source'] would be empty 
>>> sometimes, but not always. That is probably what causes the trouble 
>>> in the first place. The number of virtual address books seems to 
>>> play a role here, too (i.e. if there is more than one). So it could 
>>> be an off-by-one thing or something like that.
>>
>> That does indeed help narrow things down. I'll take a look when I can.
>>
>> $params['source'] is *supposed* to contain an array descripting the 
>> "base" configuration for the VBook. I.e., the type of backend that 
>> backs the addressbook. Probably some code path where that is not 
>> being set properly.
>>
>> -- 
>> mike
>> The Horde Project
>> http://www.horde.org
>> https://www.facebook.com/hordeprojecthttps://www.twitter.com/hordeproject 
>>

I can confirm that, too. If you have an virtual address book and it gets 
triggered, the error occurs.
I had it on an S/MIME signed mail as trigger for the error in the imp.

It is also not important if the address book is one of yours, it could 
also be a shared one.

-- 
Philipp Fäustlin
Universität Hohenheim
Kommunikations-, Informations- und Medienzentrum (630)
IT-Dienste | Abt. Kommunikation, E-Learning u. Print | Mail

Otto-Sander-Str. 5 | 70599 Stuttgart
Tel.: +49 711 459-22838 | Fax: +49 711 459-23449
https://kim.uni-hohenheim.de/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5357 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220615/26b39e28/attachment.bin>