CVE-2019-9858
published 2019-05-29CVE-2019-9858: Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.16%
97.0th percentile
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-horde-form | < php-horde-form 2.0.18-3.1 (bookworm) | php-horde-form 2.0.18-3.1 (bookworm) |
| horde | groupware | — | — |
| horde | groupware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests containing the parameter 'object[photo][img][file]' with path traversal sequences (e.g., '../') targeting Horde Groupware Webmail endpoints, as this is the unsanitized parameter exploited to write arbitrary files. ↗
- →Alert on creation of new .php files under the Horde static/ directory (e.g., /usr/share/horde/static/), as this directory is always writable and is the primary target for dropped PHP backdoors. ↗
- →Exploitation requires an authenticated session and the Turba subcomponent to be installed; correlate authenticated user activity with suspicious file upload requests to Horde Form endpoints. ↗
- →Flag Horde installations running versions 5.2.17 or 5.2.22 with Horde Form subcomponent < 2.0.19 as vulnerable; prioritize patching or detection coverage for these versions. ↗
- ·The malicious POST parameter 'object[photo][img][file]' is never submitted by legitimate Horde forms (which use a random path by default), meaning its presence in a request is a strong anomaly indicator. ↗
- ·The vulnerability is only exploitable by authenticated attackers; unauthenticated exploitation is not possible, so detection should focus on authenticated sessions performing suspicious file uploads. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mhgr-3vxf-9f79: Remote code execution was discovered in Horde Groupware Webmail 5
ghsa_unreviewed·2022-05-24
CVE-2019-9858 [HIGH] CWE-22 GHSA-mhgr-3vxf-9f79: Remote code execution was discovered in Horde Groupware Webmail 5
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Ho
OSV
CVE-2019-9858: Remote code execution was discovered in Horde Groupware Webmail 5
osv·2019-05-29·CVSS 8.8
CVE-2019-9858 [HIGH] CVE-2019-9858: Remote code execution was discovered in Horde Groupware Webmail 5
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Ho
Debian
CVE-2019-9858: php-horde-form - Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.1...
vendor_debian·2019·CVSS 8.8
CVE-2019-9858 [HIGH] CVE-2019-9858: php-horde-form - Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.1...
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Ho
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.htmlhttps://lists.debian.org/debian-lts-announce/2019/06/msg00007.htmlhttps://seclists.org/bugtraq/2019/Jun/31https://ssd-disclosure.com/?p=3814&preview=truehttps://www.debian.org/security/2019/dsa-4468http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.htmlhttps://lists.debian.org/debian-lts-announce/2019/06/msg00007.htmlhttps://seclists.org/bugtraq/2019/Jun/31https://ssd-disclosure.com/?p=3814&preview=truehttps://www.debian.org/security/2019/dsa-4468
2019-05-29
Published