[horde] another security issue discovered in Horde ref. CVE-2022-30287
Pascal Rigaux
pascal.rigaux at univ-paris1.fr
Thu Jun 2 11:24:47 UTC 2022
On 02/06/2022 12:20, Michael Menge wrote:
>> Hi. I did the following quick fix with no regression for now...
>
> Thanks for the Patch, but some of our users are unable to use horde, because
> they receive a white page with "not allowed". I am still investigating.
It seems the patch is enough IF you have
$cfgSources['localsql']['use_shares'] = false;
> Is there an other way to mitigate the CVE?
Here is a more complete tentative: https://github.com/UnivParis1/turba/tree/CVE-2022-30287
- "create" method does NOT allow arrays
- "createTrusted" method allows array, and is used everywhere the array comes from the horde conf.
More information about the horde
mailing list