[horde] Possible security hole?

Nels Lindquist nlindq at maei.ca
Tue May 12 17:00:02 UTC 2009


Hi, folks.

I did a quick search on my list archive and didn't find mention of this,
so my apologies in advance if I missed a thread.

I received a logwatch e-mail this morning from one of our test servers
which does NOT have any Horde applications installed, obviously probing
for Horde:

Requests with error response codes
    404 Not Found
       //README: 1 Time(s)
       //user/templates/footer.tpl: 1 Time(s)
       /email//README: 1 Time(s)
       /horde-3.0.5//README: 1 Time(s)
       /horde-3.0.6//README: 1 Time(s)
       /horde-3.0.7//README: 1 Time(s)
       /horde-3.0.8//README: 1 Time(s)
       /horde-3.0.9//README: 1 Time(s)
       /horde//README: 1 Time(s)
       /horde2//README: 1 Time(s)
       /horde3//README: 1 Time(s)
       /mail//README: 1 Time(s)
       /mails//README: 1 Time(s)
       /mailz//README: 1 Time(s)
       /newmail//README: 1 Time(s)
       /webmail//README: 1 Time(s)


Out of curiosity, I tried loading the README file on our active Horde
installations, and sure enough, it popped right up.

At the very least, this is an information leak (the revision string is
right at the top of the file) but I'm concerned that if they're actively
probing for Horde, there's a specific hole they're looking for.

I intend to immediately disable access to the README files, but I
thought I should send you a heads-up.

Nels Lindquist


More information about the horde mailing list