cbcvebase.
CVE-2014-1691
published 2014-04-01

CVE-2014-1691: The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
42.90%
98.6th percentile
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianphp-horde-util< php-horde-util 2.3.0-1 (bookworm)php-horde-util 2.3.0-1 (bookworm)
hordehorde_application_framework<= 5.1.0
hordehorde_application_framework
hordehorde_application_framework
hordehorde_application_framework
hordehorde_application_framework
hordehorde_application_framework

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor POST requests to login.php containing a '_formvars' parameter with a serialized PHP object payload (beginning with 'O:' notation), particularly referencing 'Horde_Kolab_Server_Decorator_Clean'.
  • Detect HTTP requests carrying a 'Cmd' header containing base64-encoded data, used to deliver the PHP payload via $_SERVER[HTTP_CMD].
  • The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean class to reach a dangerous call_user_func() call in the Horde_Prefs class; look for serialized objects referencing these class names in form input.
  • Flag unauthenticated POST requests to the Horde login endpoint where _formvars contains PHP serialized object strings (regex: O:\d+:"Horde_).
  • ·The default TARGETURI for the Metasploit module is '/horde/', meaning the exploit posts to '/horde/login.php'. Deployments with a non-default base path will use a different URI.
  • ·Applying only the upstream patch to Variables.php will break all forms in Horde; the Horde_Form package (>= 2.0.5) must also be updated in tandem.
  • ·The vulnerability affects a wide range of Horde versions, not just 5.x; versions 3.1.x through 5.1.1 are reported as affected.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.