cnvd - cnvd-2019-13850

CNVD-2019-13850

Vulnerability from cnvd - Published: 2019-05-13

Title

Horde Groupware Webmail代码执行漏洞

Description

Horde Groupware Webmail是美国Horde公司的一套基于浏览器的企业级通信套件。 Horde Groupware Webmail中存在安全漏洞。远程攻击者可利用该漏洞执行任意的PHP代码。。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.horde.org/

Reference

https://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html

Impacted products

Name
Horde Horde Groupware Webmail

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-9858"
    }
  },
  "description": "Horde Groupware Webmail\u662f\u7f8e\u56fdHorde\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u6d4f\u89c8\u5668\u7684\u4f01\u4e1a\u7ea7\u901a\u4fe1\u5957\u4ef6\u3002\n\nHorde Groupware Webmail\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684PHP\u4ee3\u7801\u3002 \u3002",
  "discovererName": "unKnow",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.horde.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-13850",
  "openTime": "2019-05-13",
  "products": {
    "product": "Horde Horde Groupware Webmail"
  },
  "referenceLink": "https://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html",
  "serverity": "\u9ad8",
  "submitTime": "2019-04-12",
  "title": "Horde Groupware Webmail\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2019-9858 (GCVE-0-2019-9858)

Vulnerability from cvelistv5 – Published: 2019-05-29 16:26 – Updated: 2024-08-04 22:01

Summary

Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://ssd-disclosure.com/?p=3814&preview=true	x_refsource_MISC
	http://packetstormsecurity.com/files/152476/Horde…	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2019…	mailing-listx_refsource_MLIST
	https://www.debian.org/security/2019/dsa-4468	vendor-advisoryx_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Jun/31	mailing-listx_refsource_BUGTRAQ

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:01:55.132Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
          },
          {
            "name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
          },
          {
            "name": "DSA-4468",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4468"
          },
          {
            "name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jun/31"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it\u0027s never submitted by the forms, which default to securely using a random path.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-24T08:06:04",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
        },
        {
          "name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
        },
        {
          "name": "DSA-4468",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4468"
        },
        {
          "name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jun/31"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-9858",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it\u0027s never submitted by the forms, which default to securely using a random path.)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ssd-disclosure.com/?p=3814\u0026preview=true",
              "refsource": "MISC",
              "url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
            },
            {
              "name": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
            },
            {
              "name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
            },
            {
              "name": "DSA-4468",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4468"
            },
            {
              "name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jun/31"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-9858",
    "datePublished": "2019-05-29T16:26:06",
    "dateReserved": "2019-03-18T00:00:00",
    "dateUpdated": "2024-08-04T22:01:55.132Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-13850

CVE-2019-9858 (GCVE-0-2019-9858)

Tags

Sightings

Nomenclature