[horde] another security issue discovered in Horde ref. CVE-2022-30287

Jens Wahnes wahnes at uni-koeln.de
Wed Jun 8 14:18:06 UTC 2022 

Jos van der Woude wrote:
> Yesterday I applied the patch for CVE-2022-30287 using pear upgrade 
> --alldeps horde/turba
> 
> Since then lots of errors in the logs:
> 
> HORDE[127489]:[turba] $config must be an array [pid 127489 on line 55 of 
> "/var/www/html/mail/horde/turba/lib/Factory/Driver.php"]
> 
> Some emails display correct, others show up as empty and thow up this 
> error.
> 
> Any ideas, anyone?

I've seen a lot of these error messages, too, after updating to Turba 
4.2.27. These errors are often accompanied by messages reading

HORDE[2913545]:[turba] The contact you requested does not exist. [pid 
2913545 on line 23 of "[...]/turba/view.php"]

But I could not find out what causes these errors. Strangely enough, 
some (but not all) of our users have problems accessing their emails in 
Imp after the update to Turba, with the "$config must be an array" 
message displayed when double-clicking an email to open it in a new 
window. Not sure if there is any connection there (i.e. if it is caused 
by an email whose sender is part of the user's address book).

Looking for oddities in the logfile, I also spotted HTTP requests for 
URL paths like this

/turba/view.php?ctype=image%2F%2A&id=1.5&imp_img_view=data&actionID=view_attach&muid=%7B5%7DINBOX7108&view_token=XYZ

There seems to be some correlation between these type of HTTP requests 
and the "The contact you requested does not exist" error I mentioned 
before. But I can't really pinpoint this. Also, I don't know what these 
kind of HTTP requests (mentioning "INBOX" and "imp" but calling Turba) 
are used for anyway. Does anybody know?

The only idea I've got so far would be to revert to the previous state, 
i.e. Turba 4.2.25 with the changes by Pascal Rigaux applied. Most of his 
changes can be applied directly to the Horde 5 code (with some fuzz), 
only the Horde 5 code in "turba/lib/Application.php" needs some manual 
tweaking.


Jens
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220608/dec2fa0e/attachment.bin>

More information about the horde mailing list