[horde] calls to popen()

Reindl Harald h.reindl at thelounge.net
Tue Feb 14 02:53:24 UTC 2012



Am 11.02.2012 08:16, schrieb Vilius Šumskas:
> Hi,
> 
> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
> 
>> what is this after update H3 some minutes ago?
> 
>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>> popen() (attacker '10.0.0.241', file
>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
> 
>> there are existing pear packages and no single need to
>> open command execution which nobody will do interested
>> in security for foreign software
> 
> There  is nothing wrong with popen() calls. If you "security" software
> thinks overwise, then it is seriously botched.

and the following proves you are wrong

open_basedir will isolate vhosts where mod_php is needed
popen() and such commands are breakiing out of the vhost
if the following happens your whole machine is compromised

-------- Original-Nachricht --------
> Remote execution backdoor after server hack (CVE-2012-0209)
> CVE-2012-0209: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209
>>
>> We have been able to limit the manipulation to three files
>> downloaded during a certain timeframe. The affected releases are:
>> - Horde 3.3.12 downloaded between November 15 and February 7
>> - Horde Groupware 1.2.10 downloaded between November 9 and February 7
>> - Horde Groupware Webmail Edition 1.2.10 downloaded between
>> November 2 and February 7
>>
>> No other releases have been affected

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20120214/67571216/attachment.bin>


More information about the horde mailing list