Horde CGI Remote Command Execution Vulnerability

Horde is a set of web-based productivity, messaging, and project-management applications written in PHP and distributed under the GPL and LGPL licenses. For sending email, it uses popen to execute sendmail with user input as part of the command string (which is then parsed by the shell..). One of these parameters that originates as user input, the "from" value, can be used to gain remote access to the server on which horde is running. The script does not check to make sure that the value of this variable is sane before sending it to the shell that is executed by the popen() call. As a result it is possible for an attacker to gain access to the target host with the priviliges of the webserver, given that he/she has ability to send mail from Horde in the first place (it is authenticated in most cases, which is why this is classified as a local vulnerability). The "from" field is the only parameter known to be affected in such a manner. The rest of the variables are protected by a function that cleans them of any metacharacters.


Privacy Statement
Copyright 2010, SecurityFocus