[horde] DFN-CERT-2014-0154

Andrew Morgan morgan at orst.edu
Fri Feb 7 18:48:15 UTC 2014 

On Fri, 7 Feb 2014, Robert Schetterer wrote:

> Am 07.02.2014 18:18, schrieb Arjen de Korte:
>> Citeren Robert Schetterer <rs at sys4.de>:
>>
>>> Hi any more info about this?
>>>
>>>
>>> https://portal.cert.dfn.de/adv/DFN-CERT-2014-0154/
>>> http://www.debian.org/security/2014/dsa-2853
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149
>>>
>>> ...
>>> As detailed on the debian security tracker[0] and reported on oss-sec[1]
>>> and assigned CVE 2014-1691, there is a remote code execution bug in
>>> horde affecting all versions from at least horde 3.1.x to 5.1.1.
>>> ...
>>>
>>> looks like debian has a fix at
>>>
>>> https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
>>>
>>
>> So what? This is old news, it was fixed upstream weeks before debian
>> released updated packages.
>
> ok , thats good news, but might interest horde3 users which arent using
> deb packs, i guess most other people have allready upgraded to Horde 5.1.5

I have attached the patch from Debian.  I applied this to my non-packaged 
install of Horde 3.3.13 a couple days ago.

 	Andy
-------------- next part --------------
Index: horde3-3.3.8+debian0/lib/Horde/Form/Renderer.php
===================================================================
--- horde3-3.3.8+debian0.orig/lib/Horde/Form/Renderer.php	2010-04-28 09:39:32.000000000 -0400
+++ horde3-3.3.8+debian0/lib/Horde/Form/Renderer.php	2014-01-30 11:36:02.504632572 -0500
@@ -217,7 +217,7 @@
             }
         }
         require_once 'Horde/NLS.php';
-        echo '<input type="hidden" name="_formvars" value="' . @htmlspecialchars(serialize($vars), ENT_QUOTES, NLS::getCharset()) . '" />';
+        echo '<input type="hidden" name="_formvars" value="' . htmlspecialchars(json_encode($vars)) . '" />';
     }
 
     function renderFormActive(&$form, &$vars)
Index: horde3-3.3.8+debian0/lib/Horde/Variables.php
===================================================================
--- horde3-3.3.8+debian0.orig/lib/Horde/Variables.php	2010-04-28 09:39:33.000000000 -0400
+++ horde3-3.3.8+debian0/lib/Horde/Variables.php	2014-01-30 11:36:02.504632572 -0500
@@ -29,7 +29,7 @@
             $vars = Util::dispelMagicQuotes($_REQUEST);
         }
         if (isset($vars['_formvars'])) {
-            $this->_expectedVariables = @unserialize($vars['_formvars']);
+            $this->_expectedVariables = @json_decode($vars['_formvars'], true);
             unset($vars['_formvars']);
         }
         $this->_vars = $vars;

More information about the horde mailing list