[horde] another security issue discovered in Horde ref. CVE-2022-30287

[Pascal Rigaux]

On 01/06/2022 18:36, Cristian-Petru Pencov wrote:
> Hi folks,
> it seems that Horde is under 'fire' regarding the security flaws
> And this one is really nasty!
> 
> "New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email"
> https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html
> 
> and from researcher's blog
> https://blog.sonarsource.com/horde-webmail-rce-via-email/
> 
> I hope that the dev team will find the quickest solution to block this attacks.

Hi. I did the following quick fix with no regression for now...

--- lib/Factory/Driver.php
+++ lib/Factory/Driver.php
@@ -49,6 +49,10 @@ class Turba_Factory_Driver extends Horde_Core_Factory_Base
      public function create($name, $name2 = '')
      {
          if (is_array($name)) {
+            if (!$name2) {
+                error_log("Disallowed for CVE-2022-30287: " . json_encode(debug_backtrace()));
+                die("not allowed");
+            }
              ksort($name);
              $key = md5(serialize($name));
              $srcName = $name2;