cbcvebase.
CVE-2012-0209
published 2012-09-25

CVE-2012-0209: Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.90%
99.3th percentile
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.

Affected

2 ranges
VendorProductVersion rangeFixed in
hordegroupware
hordehorde

Detection & IOCsextracted from sources · hover to see the quote

pathtemplates/javascript/open_calendar.js
url/services/javascript.php
cookiehref=<function>:<arguments>
other$m[1]($m[2])
hashbc04ce4499af24a403429c81d0a8afcf
hash4bdab16c84513bbd9466cb0dc7464661
hash60e100c3e4ab59c01d30bf5eb813a182
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; http.uri; content:"/services/javascript.php"; http.cookie; content:"href"; http.request_body; content:"file=open_calendar.js"; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:4; metadata:created_at 2012_02_21, cve CVE_2012_0209, signature_severity Major, updated_at 2020_04_21;)
  • Exploit sends a POST request to /services/javascript.php with body parameter 'file=open_calendar.js' and a Cookie header containing 'href=<php_function>:<arguments>' to trigger the backdoor.
  • The backdoor payload pattern '$m[1]($m[2])' can be grep-searched within the Horde directory tree to identify compromised files.
  • The backdoor was introduced into the file templates/javascript/open_calendar.js in tarballs distributed via FTP; verify file integrity against known-good MD5 checksums of the affected tarballs.
  • The exploit uses the PHP function 'passthru' delivered via the Cookie 'href' field; monitor for HTTP requests to javascript.php with cookie values matching the pattern href=<word>:<command>.
  • ·Only tarballs distributed via FTP during specific windows are affected; CVS and Git repository checkouts are clean. Horde 4 releases were not compromised.
  • ·The Metasploit module requires the 'APP' parameter to correspond to an active Horde application; the default is 'horde'. Adjust detection rules if non-default app names are used.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.