Security hole in Horde application framework closed
Version 3.1.7 of the Horde web development framework has been released, which eliminates a serious security hole. According to the release notes, previous versions allowed attackers to include external PHP files remotely using manipulated theme preferences, and run malicious code on the web server with the vulnerable Horde application. Developer versions 3.2.x are said not to contain the vulnerability.
An advisory giving further details of the vulnerability, a sample exploit and a short patch has been published on the Bugtraq security mailing list. The error is apparently in the email component of the Framework, which the cPanel web administration software uses. The cause is inadequate filtering of the POST variable in the horde/lib/Horde/Prefs.php
file.
Web administrators who maintain Horde applications should either update the server-wide Horde Framework or import the patch as soon as possible.
See also:
- Horde Webmail file inclusion proof of concept & patch, details on Bugtraq
- Release notes for Version 3.1.7 by Horde's developers
(mba)