[horde] another security issue discovered in Horde ref. CVE-2022-30287
Michael Menge
michael.menge at zdv.uni-tuebingen.de
Thu Jun 2 11:56:01 UTC 2022
Hi Pascal
Quoting Pascal Rigaux <pascal.rigaux at univ-paris1.fr>:
> On 02/06/2022 12:20, Michael Menge wrote:
>
>>> Hi. I did the following quick fix with no regression for now...
>>
>> Thanks for the Patch, but some of our users are unable to use horde, because
>> they receive a white page with "not allowed". I am still investigating.
>
> It seems the patch is enough IF you have
>
> $cfgSources['localsql']['use_shares'] = false;
we use_shares, so that was not working.
>
>> Is there an other way to mitigate the CVE?
>
> Here is a more complete tentative:
> https://github.com/UnivParis1/turba/tree/CVE-2022-30287
>
> - "create" method does NOT allow arrays
> - "createTrusted" method allows array, and is used everywhere the
> array comes from the horde conf.
>
Thanks for the updated patch.
--------------------------------------------------------------------------------
Michael Menge Tel.: (49) 7071 / 29-70316
Universität Tübingen Fax.: (49) 7071 / 29-5912
Zentrum für Datenverarbeitung mail:
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
More information about the horde
mailing list