Kronolith web calendar allows code inclusion
Kronolith, a groupware calendar system, is intended to simplify the interaction of its users, but security vendor iDefense is reporting the discovery of a vulnerability that makes it easier for ill-intentioned users to spy on their colleagues. Authenticated users can execute their own PHP code under the security context of the web server and thereby gain access to the data and mail of other users. Kronolith is typically installed alongside the IMP web mail solution based on the Horde framework.
The error is part of the lib/FBView.php module, the bug report claims: the manipulation of a user-defined view parameter can reroute a path to arbitrary files; the files can then be executed. iDefense notes in its report that the module does in fact include a filtering of the provided parameters through the basename PHP function, but the original, unfiltered parameters are nevertheless used during the continued execution of the script.
This method is only capable of executing files that already exist on the server -- remote file inclusion is not possible -- but there are various methods for authenticated users to create data and/or files on a server.
The bug has been confirmed in the versions Horde Kronolith 2.0.1 and 2.1.3. Other versions are likely also affected. The developers have removed the bug from 2.0.7 and 2.1.4.
- Horde Kronolith Arbitrary Local File Inclusion Vulnerability, bug report from iDefense