[commits] Horde branch master updated. 3afdce9d40d8a0e5c30f711ddf7cb24850751e52

Jan Schneider jan at horde.org
Tue Sep 19 16:06:22 UTC 2017 

The branch "master" has been updated.
The following is a summary of the commits.

from: f7672ebc89530aa2f201b0f9bb66c9e7477e77b1

eb3afd1 Fix RCE in _raw() via $index parameter.
3afdce9 [jan] SECURITY: Fix remote code execution vulnerability in Im driver (Thomas Jarosch <thomas.jarosch at intra2net.com>.

Summary: http://github.com/horde/horde/compare/f7672ebc89530aa2f201b0f9bb66c9e7477e77b1...3afdce9d40d8a0e5c30f711ddf7cb24850751e52

-----------------------------------------------------------------------

commit eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b
Author: Thomas Jarosch <thomas.jarosch at intra2net.com>
Date:   Fri Sep 15 15:45:55 2017 +0200

    Fix RCE in _raw() via $index parameter.
    
    $index is passed down from getImageAtIndex($index).
    Luckily the only official horde code calling it
    is the PDF preview code with a fixed index of 0.
    
    Still code from third party vendors using the Horde framework libs
    might expose getImageAtIndex() to the web.
    
    PoC:
    
    ----------------
    <?php
    $options = array('index' => "5'$(ls -al )'");
    $max_pages = 10;
    
    // php fun: implicit conversion to integer
    if ($options['index'] < $max_pages)
    {
        // _raw() call in Im.php might look like
        //        /usr/bin/convert  "/tmp/img1URPsC"'[0]'  -strip png:"/tmp/img0NgHfI"
        echo exec('echo \'[' . $options['index'] . ']\' ');
    }
    ?>
    ----------------
    Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
    Signed-off-by: Jan Schneider <jan at horde.org>

 framework/Image/lib/Horde/Image/Im.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

http://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b

-----------------------------------------------------------------------

commit 3afdce9d40d8a0e5c30f711ddf7cb24850751e52
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 19 18:06:03 2017 +0200

    [jan] SECURITY: Fix remote code execution vulnerability in Im driver (Thomas Jarosch <thomas.jarosch at intra2net.com>.

 framework/Image/package.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

http://github.com/horde/horde/commit/3afdce9d40d8a0e5c30f711ddf7cb24850751e52

More information about the commits mailing list