In association with heise online

10 March 2008, 10:55

Security hole in Horde application framework closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Version 3.1.7 of the Horde web development framework has been released, which eliminates a serious security hole. According to the release notes, previous versions allowed attackers to include external PHP files remotely using manipulated theme preferences, and run malicious code on the web server with the vulnerable Horde application. Developer versions 3.2.x are said not to contain the vulnerability.

An advisory giving further details of the vulnerability, a sample exploit and a short patch has been published on the Bugtraq security mailing list. The error is apparently in the email component of the Framework, which the cPanel web administration software uses. The cause is inadequate filtering of the POST variable in the horde/lib/Horde/Prefs.php file.

Web administrators who maintain Horde applications should either update the server-wide Horde Framework or import the patch as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit