[horde] another security issue discovered in Horde ref. CVE-2022-30287
Jens Wahnes
wahnes at uni-koeln.de
Tue Jun 14 17:08:25 UTC 2022
Michael J Rubinsky wrote:
> 4.2.28 should fix the remaining regressions.
Fortunately, I got some help from other Horde users. Together, we could
narrow down the remaining issue with Turba 4.2.28 that I mentioned earlier.
The problem is with virtual address books. If one decides to save an
addressbook search as a virtual address book, the issue of "$config must
be an array" will come up as soon as one clicks on "Address Book" in
dynamic mode.
Things get worse if such a virtual address book has previously been set
as the default address book. With such a configuration setting, the
trouble of e-mails not being displayed in Imp turns up frequently. So in
dynamic view, a single click on a message may not refresh the message
display (at least not always), and a double click will open a new window
reading "$config must be an array". Or sometimes it will not open a new
window at all. Yet other messages may still open fine. It is very confusing.
Using a virtual addressbook at all, and then using it as the default
addressbook is not a very common combination, which is probably why it
affects only a fraction of our users. So it has been hard to really
reproduce this, but now I've got a good example going and would be able
to provide debug output if that helps to find and fix the issue.
I tried to look into it myself, but could not find the exact cause. In
the "turba/lib/Driver/Vbook.php" file in the __construct method (around
line 50), I could see that $params['source'] would be empty sometimes,
but not always. That is probably what causes the trouble in the first
place. The number of virtual address books seems to play a role here,
too (i.e. if there is more than one). So it could be an off-by-one thing
or something like that.
Jens
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220614/b0e17b81/attachment.bin>
More information about the horde
mailing list