[horde] another security issue discovered in Horde ref. CVE-2022-30287
Jan Schneider
jan at horde.org
Thu Jun 2 12:51:35 UTC 2022
Zitat von Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
> Hi Pascal
>
> Quoting Pascal Rigaux <pascal.rigaux at univ-paris1.fr>:
>
>> On 02/06/2022 12:20, Michael Menge wrote:
>>
>>>> Hi. I did the following quick fix with no regression for now...
>>>
>>> Thanks for the Patch, but some of our users are unable to use
>>> horde, because
>>> they receive a white page with "not allowed". I am still investigating.
>>
>> It seems the patch is enough IF you have
>>
>> $cfgSources['localsql']['use_shares'] = false;
>
> we use_shares, so that was not working.
>
>>
>>> Is there an other way to mitigate the CVE?
>>
>> Here is a more complete tentative:
>> https://github.com/UnivParis1/turba/tree/CVE-2022-30287
>>
>> - "create" method does NOT allow arrays
>> - "createTrusted" method allows array, and is used everywhere the
>> array comes from the horde conf.
>>
>
> Thanks for the updated patch.
Thanks for testing the patch, we are going to release a fix ASAP, but
probably not before the weekend.
Jan.
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the horde
mailing list