[Tickets #6399] Unsanitized theme include vulnerability

bugs at horde.org bugs at horde.org
Fri Mar 7 21:39:59 UTC 2008


Ticket URL: http://bugs.horde.org/ticket/6399
 Ticket             | 6399
 Created By         | mikemoyer at inbox.com
 Summary            | Unsanitized theme include vulnerability
 Queue              | Horde Framework Packages
 Version            | FRAMEWORK_3
 Type               | Bug
 State              | Unconfirmed
 Priority           | 3. High
 Milestone          | 
 Patch              | 
 Owners             | 

mikemoyer at inbox.com (2008-03-07 16:39) wrote:

Copy/paste from http://www.securityfocus.com/archive/1/489239:


Horde 3.1.6 arbitrary file inclusion vulnerability, proof of concept &

A severe security vulnerability affects any unix distribution running
version 3.1.6 of the Horde webmail client included in most popular
webhosting control panels. All previous versions are also affected and it
is believed although not yet proven that Horde Groupware is also

Details are as follows:

David Collins and Patrick Pelanne along with the rest of the HostGator.com
LLC support team discovered that Horde was not properly sanitizing POST
variables for several options including it's themes. By maliciously
modifying POST data sent to the client the attacker can modify the location
of the theme variable and Horde will subsequently insert this information
into it's database. By modifying this POST variable one can allow for
directory traversal and file inclusion which can lead to full root
privilege escalation.

Proof of concept:

Data injected through malicious tampering of POST data:

mysql> select * from horde_prefs where pref_uid='bbarker (at) hostgator
(dot) com [email concealed]' and pref_name='theme';


| pref_uid | pref_scope | pref_name | pref_value |


| bbarker (at) hostgator (dot) com [email concealed] | horde | theme |
achments/bbarker (at) hostgator (dot) com [email
concealed]/1204804402/t.txt |

Shown above, the malicious POST variable was inserted into the database
and now points to the malicious code denoted by t.txt

A truncated strace shows the access and execution of the malicious code
when the user enters the Horde webmail client:

31852 lstat64("/usr", {st_dev=makedev(3, 3), st_ino=2,
st_mode=S_IFDIR|0755, st_nlink=18, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=16, st_size=4096, s$

31852 lstat64("/usr/local", {st_dev=makedev(3, 3), st_ino=608001,
st_mode=S_IFDIR|0755, st_nlink=26, st_uid=0, st_gid=0, st_blksize=4096,
st_blocks=16, st_s$

31852 lstat64("/usr/local/cpanel", {st_dev=makedev(3, 3), st_ino=18539,
st_mode=S_IFDIR|0711, st_nlink=37, st_uid=0, st_gid=10, st_blksize=4096,

31852 lstat64("/usr/local/cpanel/base", {st_dev=makedev(3, 3),
st_ino=85078, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=0, st_gid=0,
st_blksize=4096, st_bloc$

31852 lstat64("/usr/local/cpanel/base/horde", {st_dev=makedev(3, 3),
st_ino=85388, st_mode=S_IFDIR|0755, st_nlink=21, st_uid=32002,
st_gid=32004, st_blksize$

31852 lstat64("/usr/local/cpanel/base/horde/config", {st_dev=makedev(3,
3), st_ino=115868, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=32002,
st_gid=32004, st_$

31852 lstat64("/usr/local/cpanel/base/horde/themes", {st_dev=makedev(3,
3), st_ino=86796, st_mode=S_IFDIR|0755, st_nlink=28, st_uid=32002,
st_gid=32004, st_$

31852 lstat64("/tmp", {st_dev=makedev(7, 1), st_ino=2,
st_mode=S_IFDIR|S_ISVTX|0777, st_nlink=9, st_uid=0, st_gid=0,
st_blksize=4096, st_blocks=64, st_size=$

31852 lstat64("/tmp/.horde", {st_dev=makedev(7, 1), st_ino=38609,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,
st_blksize=4096, st_blocks=2$

31852 lstat64("/tmp/.horde/imp", {st_dev=makedev(7, 1), st_ino=38610,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,
st_blksize=4096, st_bloc$

31852 lstat64("/tmp/.horde/imp/attachments", {st_dev=makedev(7, 1),
st_ino=38611, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st_gid=32004,

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]", {st_dev=makedev(7, 1), st_ino=38612,
st_mode=S_IFDIR|0700, st_nlink=3, st_uid=32002, st$

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]/1204804402", {st_dev=makedev(7, 1), st_ino=38613,
st_mode=S_IFDIR|0700, st_nlink=2, st_ui$

31852 lstat64("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot)
com [email concealed]/1204804402/t.
txt", {st_dev=makedev(7, 1), st_ino=38614, st_mode=S_IFREG|0600,

31852 open("/tmp/.horde/imp/attachments/patrick (at) hostgator (dot) com
[email concealed]/1204804402/t.txt
", O_RDONLY) = 4

We have also included a patch below for this vulnerability tested on Horde
v2.105.4.8 2006/07/29 16:49:19

--- horde/lib/Horde/Prefs.php 2008-03-06 21:14:38.000000000 -0600

+++ horde/lib/Horde/Prefs.patched 2008-03-06 20:10:56.000000000 -0600

@@ -325,12 +325,23 @@


return (isset($this->_prefs[$pref]['v'])) ?

- ($convert ?

+ $this->_fixhole($pref,$convert ?

$this->convertFromDriver($this->_prefs[$pref]['v'], $charset) :

$this->_prefs[$pref]['v']) :



+function _fixhole($pref,$value) {

+ $sanitize = '/^[a-z0-9._-]+$/i';

+ if (preg_match($sanitize, $value) && $pref == 'theme') {

+ return $value;

+ } elseif ($pref == 'theme') {

+ return "mozilla";

+ } else {

+ return $value;

+ }



function __get($name)


return $this->getValue($name);


Sorry because I know someone's probably already aware: but I didn't see
any word on this after several hours on either the Horde site, in the bug
database, or on the Horde mailing list archives

More information about the bugs mailing list