[horde] SECURITY: Remote Code Execution vulnerability in Horde_Crypt.

Michael J Rubinsky mrubinsk at horde.org
Tue Apr 4 02:01:06 UTC 2017


Hello,

Two related Remote Code Execution (RCE) vulnerabilities have been  
discovered in the Horde_Crypt library that may allow a remote attacker  
to execute arbitrary commands on the server with the privileges of the  
user who runs the web server.

Horde Webmail (via the IMP application) uses the Horde_Crypt library  
to handle the encrypting/decryption of PGP data. These vulnerabilities  
are the result of passing certain command parameters to the system gpg  
binary without first being sanitized.

The first vulnerability affects all versions of Horde Webmail with PGP  
features enabled in the user's preferences. To exploit this  
vulnerability from within a Horde Webmail install, the attacker must  
be an authenticated user and attempt to encrypt an email addressed to  
a maliciously crafted email address. This vulnerability has been  
assigned CVE ID: CVE-2017-7413.

The second vulnerability affects Horde Webmail versions 5.0 and above  
with PGP features enabled in the user's preferences. Additionally, it  
requires that the user has enabled the “Should PGP signed messages be  
automatically verified when viewed?” preference. For versions of Horde  
Webmail 5.2.0 or greater, the server administrator must also have  
enabled the inline viewing of PGP data. To exploit this vulnerability,  
an attacker can send a maliciously crafted PGP signed email to a Horde  
user, who then must either view or preview it. This vulnerability has  
been assigned CVE ID: CVE-2017-7414.

Both of these vulnerabilities are fixed in Horde_Crypt 2.7.6.

Thanks to Maor Shwartz <maors at beyondsecurity.com> for reporting this  
vulnerability.

-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3282 bytes
Desc: S/MIME Signature
URL: <https://lists.horde.org/archives/horde/attachments/20170404/64f698ce/attachment-0001.bin>


More information about the horde mailing list