CVE-2014-1691
published 2014-04-01CVE-2014-1691: The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
42.90%
98.6th percentile
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-horde-util | < php-horde-util 2.3.0-1 (bookworm) | php-horde-util 2.3.0-1 (bookworm) |
| horde | horde_application_framework | <= 5.1.0 | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to login.php containing a '_formvars' parameter with a serialized PHP object payload (beginning with 'O:' notation), particularly referencing 'Horde_Kolab_Server_Decorator_Clean'. ↗
- →Detect HTTP requests carrying a 'Cmd' header containing base64-encoded data, used to deliver the PHP payload via $_SERVER[HTTP_CMD]. ↗
- →The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean class to reach a dangerous call_user_func() call in the Horde_Prefs class; look for serialized objects referencing these class names in form input. ↗
- →Flag unauthenticated POST requests to the Horde login endpoint where _formvars contains PHP serialized object strings (regex: O:\d+:"Horde_). ↗
- ·The default TARGETURI for the Metasploit module is '/horde/', meaning the exploit posts to '/horde/login.php'. Deployments with a non-default base path will use a different URI. ↗
- ·Applying only the upstream patch to Variables.php will break all forms in Horde; the Horde_Form package (>= 2.0.5) must also be updated in tandem. ↗
- ·The vulnerability affects a wide range of Horde versions, not just 5.x; versions 3.1.x through 5.1.1 are reported as affected. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrpw-h28p-3rfp: The framework/Util/lib/Horde/Variables
ghsa_unreviewed·2022-05-17
CVE-2014-1691 [HIGH] CWE-94 GHSA-vrpw-h28p-3rfp: The framework/Util/lib/Horde/Variables
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
OSV
CVE-2014-1691: The framework/Util/lib/Horde/Variables
osv·2014-04-01·CVSS 7.5
CVE-2014-1691 [HIGH] CVE-2014-1691: The framework/Util/lib/Horde/Variables
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
Debian
CVE-2014-1691: php-horde-util - The framework/Util/lib/Horde/Variables.php script in the Util library in Horde b...
vendor_debian·2014·CVSS 7.5
CVE-2014-1691 [HIGH] CVE-2014-1691: php-horde-util - The framework/Util/lib/Horde/Variables.php script in the Util library in Horde b...
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
Scope: local
bookworm: resolved (fixed in 2.3.0-1)
bullseye: resolved (fixed in 2.3.0-1)
sid: resolved (fixed in 2.3.0-1)
No detection rules found.
Exploit-DB
Horde Framework - Unserialize PHP Code Execution (Metasploit)
exploitdb·2014-03-22
CVE-2014-1691 Horde Framework - Unserialize PHP Code Execution (Metasploit)
Horde Framework - Unserialize PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Horde Framework Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a php unserialize() vulnerability in Horde
[
'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-1691' ],
[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
[ 'URL', 'https://github.com/horde/horde/co
Metasploit
Horde Framework Unserialize PHP Code Execution
metasploit
Horde Framework Unserialize PHP Code Execution
Horde Framework Unserialize PHP Code Execution
This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be abused to allow unauthenticated users to execute arbitrary code with the permissions of the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file. The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean class to reach a dangerous call_user_func() call in the Horde_Prefs class.
Bugzilla
CVE-2014-1691 horde: unserializing certain form input leads to code execution
bugzilla·2014-01-28·CVSS 7.5
CVE-2014-1691 [HIGH] CVE-2014-1691 horde: unserializing certain form input leads to code execution
CVE-2014-1691 horde: unserializing certain form input leads to code execution
It was found that certain, user-supplied form input was unserialized by Horde. A remote attacker could use this flaw to execute arbitrary code.
It was reported[1] that this issue affects at least versions 3.1.x to 5.1.1. This issue has already been fixed in php-horde-Horde-Util for Fedora and EPEL.
[1] http://seclists.org/oss-sec/2014/q1/153
Upstream commit:
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Note that this issue also affects the horde package. There, it is in the Variables class (different from the above github commit):
21 class Variables {
22
23 var $_vars;
24 var $_expectedVariables = array();
25
26 function Variables($vars = array())
27 {
28 if (is_null($vars
Bugzilla
CVE-2014-1691 horde: unserializing certain form input leads to code execution [fedora-all]
bugzilla·2014-01-28·CVSS 7.5
CVE-2014-1691 [HIGH] CVE-2014-1691 horde: unserializing certain form input leads to code execution [fedora-all]
CVE-2014-1691 horde: unserializing certain form input leads to code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: t
Bugzilla
CVE-2014-1691 horde: unserializing certain form input leads to code execution [epel-all]
bugzilla·2014-01-28·CVSS 7.5
CVE-2014-1691 [HIGH] CVE-2014-1691 horde: unserializing certain form input leads to code execution [epel-all]
CVE-2014-1691 horde: unserializing certain form input leads to code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note
http://seclists.org/oss-sec/2014/q1/153http://seclists.org/oss-sec/2014/q1/156http://seclists.org/oss-sec/2014/q1/169http://www.debian.org/security/2014/dsa-2853https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3http://seclists.org/oss-sec/2014/q1/153http://seclists.org/oss-sec/2014/q1/156http://seclists.org/oss-sec/2014/q1/169http://www.debian.org/security/2014/dsa-2853https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
2014-04-01
Published