[announce] [SECURITY] CVE-2020-8866: Arbitrary File Creation in Temporary Directory Vulnerability
Michael J Rubinsky
mrubinsk at horde.org
Sun Mar 8 22:22:55 UTC 2020
Hello,
A File Upload Arbitrary File Creation Vulnerability has been found in
Horde_Form. This vulnerability allows for specifying the name of the
temporary file that is created by Horde_Form when uploading a file
using Horde_Form's image support. While this allows a malicious user
to create an arbitrary file on the server with a known name, the file
creation is still restricted to the server's configured temporary
directory.
A fixed version of Horde_Form (2.0.20) has been released and everyone
is advised to upgrade.
This vulnerability was reported to us by Andrea Cardaci working with
Trend Micro Zero Day Initiative.
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9272 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/announce/attachments/20200308/2b0d743b/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/announce/attachments/20200308/2b0d743b/attachment.sig>
More information about the announce
mailing list