[horde] another security issue discovered in Horde ref. CVE-2022-30287

Michael J Rubinsky mrubinsk at horde.org
Sat Jun 18 21:59:29 UTC 2022


Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Jens Wahnes <wahnes at uni-koeln.de>:
>
>> Michael J Rubinsky wrote:
>>> 4.2.28 should fix the remaining regressions.
>>
>> Fortunately, I got some help from other Horde users. Together, we  
>> could narrow down the remaining issue with Turba 4.2.28 that I  
>> mentioned earlier.
>>
>> The problem is with virtual address books. If one decides to save  
>> an addressbook search as a virtual address book, the issue of  
>> "$config must be an array" will come up as soon as one clicks on  
>> "Address Book" in dynamic mode.
>>
>> Things get worse if such a virtual address book has previously been  
>> set as the default address book. With such a configuration setting,  
>> the trouble of e-mails not being displayed in Imp turns up  
>> frequently. So in dynamic view, a single click on a message may not  
>> refresh the message display (at least not always), and a double  
>> click will open a new window reading "$config must be an array". Or  
>> sometimes it will not open a new window at all. Yet other messages  
>> may still open fine. It is very confusing.
>>
>> Using a virtual addressbook at all, and then using it as the  
>> default addressbook is not a very common combination, which is  
>> probably why it affects only a fraction of our users. So it has  
>> been hard to really reproduce this, but now I've got a good example  
>> going and would be able to provide debug output if that helps to  
>> find and fix the issue.
>>
>> I tried to look into it myself, but could not find the exact cause.  
>> In the "turba/lib/Driver/Vbook.php" file in the __construct method  
>> (around line 50), I could see that $params['source'] would be empty  
>> sometimes, but not always. That is probably what causes the trouble  
>> in the first place. The number of virtual address books seems to  
>> play a role here, too (i.e. if there is more than one). So it could  
>> be an off-by-one thing or something like that.
>
> That does indeed help narrow things down. I'll take a look when I can.
>
> $params['source'] is *supposed* to contain an array descripting the  
> "base" configuration for the VBook. I.e., the type of backend that  
> backs the addressbook. Probably some code path where that is not  
> being set properly.


Fixed in 4.2.29

>
>
>
>
> -- 
> mike
> The Horde Project
> http://www.horde.org
> https://www.facebook.com/hordeproject
> https://www.twitter.com/hordeproject



-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9386 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/horde/attachments/20220618/12c59720/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220618/12c59720/attachment.sig>


More information about the horde mailing list