[horde] another security issue discovered in Horde ref. CVE-2022-30287

Jos van der Woude jos at veerkade.com
Sun Jun 19 09:20:17 UTC 2022 

  Mike,

Thank you!
4.2.29 fixed it for me too.

Regards
Jos

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>
>> Quoting Jens Wahnes <wahnes at uni-koeln.de>:
>>
>>> Michael J Rubinsky wrote:
>>>> 4.2.28 should fix the remaining regressions.
>>>
>>> Fortunately, I got some help from other Horde users. Together, we  
>>> could narrow down the remaining issue with Turba 4.2.28 that I  
>>> mentioned earlier.
>>>
>>> The problem is with virtual address books. If one decides to save  
>>> an addressbook search as a virtual address book, the issue of  
>>> "$config must be an array" will come up as soon as one clicks on  
>>> "Address Book" in dynamic mode.
>>>
>>> Things get worse if such a virtual address book has previously  
>>> been set as the default address book. With such a configuration  
>>> setting, the trouble of e-mails not being displayed in Imp turns  
>>> up frequently. So in dynamic view, a single click on a message may  
>>> not refresh the message display (at least not always), and a  
>>> double click will open a new window reading "$config must be an  
>>> array". Or sometimes it will not open a new window at all. Yet  
>>> other messages may still open fine. It is very confusing.
>>>
>>> Using a virtual addressbook at all, and then using it as the  
>>> default addressbook is not a very common combination, which is  
>>> probably why it affects only a fraction of our users. So it has  
>>> been hard to really reproduce this, but now I've got a good  
>>> example going and would be able to provide debug output if that  
>>> helps to find and fix the issue.
>>>
>>> I tried to look into it myself, but could not find the exact  
>>> cause. In the "turba/lib/Driver/Vbook.php" file in the __construct  
>>> method (around line 50), I could see that $params['source'] would  
>>> be empty sometimes, but not always. That is probably what causes  
>>> the trouble in the first place. The number of virtual address  
>>> books seems to play a role here, too (i.e. if there is more than  
>>> one). So it could be an off-by-one thing or something like that.
>>
>> That does indeed help narrow things down. I'll take a look when I can.
>>
>> $params['source'] is *supposed* to contain an array descripting the  
>> "base" configuration for the VBook. I.e., the type of backend that  
>> backs the addressbook. Probably some code path where that is not  
>> being set properly.
>
> Fixed in 4.2.29
>
>> --
>> mike
>> The Horde Project
>> http://www.horde.org
>> https://www.facebook.com/hordeproject
>> https://www.twitter.com/hordeproject
>
> --
> mike
> The Horde Project
> http://www.horde.org
> https://www.facebook.com/hordeprojecthttps://www.twitter.com/hordeproject

More information about the horde mailing list