[horde] SECURITY: Remote Code Execution vulnerability in Horde_Crypt.
Michael J Rubinsky
mrubinsk at horde.org
Tue Apr 4 02:01:06 UTC 2017
Two related Remote Code Execution (RCE) vulnerabilities have been
discovered in the Horde_Crypt library that may allow a remote attacker
to execute arbitrary commands on the server with the privileges of the
user who runs the web server.
Horde Webmail (via the IMP application) uses the Horde_Crypt library
to handle the encrypting/decryption of PGP data. These vulnerabilities
are the result of passing certain command parameters to the system gpg
binary without first being sanitized.
The first vulnerability affects all versions of Horde Webmail with PGP
features enabled in the user's preferences. To exploit this
vulnerability from within a Horde Webmail install, the attacker must
be an authenticated user and attempt to encrypt an email addressed to
a maliciously crafted email address. This vulnerability has been
assigned CVE ID: CVE-2017-7413.
The second vulnerability affects Horde Webmail versions 5.0 and above
with PGP features enabled in the user's preferences. Additionally, it
requires that the user has enabled the “Should PGP signed messages be
automatically verified when viewed?” preference. For versions of Horde
Webmail 5.2.0 or greater, the server administrator must also have
enabled the inline viewing of PGP data. To exploit this vulnerability,
an attacker can send a maliciously crafted PGP signed email to a Horde
user, who then must either view or preview it. This vulnerability has
been assigned CVE ID: CVE-2017-7414.
Both of these vulnerabilities are fixed in Horde_Crypt 2.7.6.
Thanks to Maor Shwartz <maors at beyondsecurity.com> for reporting this
The Horde Project
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3282 bytes
Desc: S/MIME Signature
More information about the horde