1059000 – (CVE-2014-1691) CVE-2014-1691 horde: unserializing certain form input leads to code execution

Bug 1059000 (CVE-2014-1691) - CVE-2014-1691 horde: unserializing certain form input leads to code execution

Summary: CVE-2014-1691 horde: unserializing certain form input leads to code execution

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2014-1691
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1059001 1059003
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-28 23:57 UTC by Murray McAllister
Modified:	2021-02-04 00:57 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-22 16:49:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-01-28 23:57:08 UTC

It was found that certain, user-supplied form input was unserialized by Horde. A remote attacker could use this flaw to execute arbitrary code.

It was reported[1] that this issue affects at least versions 3.1.x to 5.1.1. This issue has already been fixed in php-horde-Horde-Util for Fedora and EPEL.

[1] http://seclists.org/oss-sec/2014/q1/153

Upstream commit:

https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3

Note that this issue also affects the horde package. There, it is in the Variables class (different from the above github commit):

21 class Variables {
22 
23     var $_vars;
24     var $_expectedVariables = array();
25 
26     function Variables($vars = array())
27     {
28         if (is_null($vars)) {
29             $vars = Util::dispelMagicQuotes($_REQUEST);
30         }
31         if (isset($vars['_formvars'])) {
32             $this->_expectedVariables = @unserialize($vars['_formvars']);
33             unset($vars['_formvars']);
34         }
35         $this->_vars = $vars;

Comment 1 Murray McAllister 2014-01-28 23:58:56 UTC

Created horde tracking bugs for this issue:

Affects: fedora-all [bug 1059001]
Affects: epel-all [bug 1059003]

Comment 2 Murray McAllister 2014-01-29 00:18:52 UTC

I do not know the difference between php-horde-Horde-Util and horde. Mailed oss-sec in case another CVE or anything is needed:

http://www.openwall.com/lists/oss-security/2014/01/29/1

Comment 3 Remi Collet 2014-01-29 06:06:13 UTC

FYI: "horde" is the old application (version 3) build from a single tarball (but still available in the repository)

horde is now distributed via a pear channel and split in ~100 packages.

php-pear-Horde-Util 2.3.0 (with this fix) is already in the repository (but not yet used as pear-horde-horde 5.1.5 is still under  review).

Comment 4 Murray McAllister 2014-01-29 12:01:46 UTC

> Upstream commit:
> 
> https://github.com/horde/horde/commit/
> da6afc7e9f4e290f782eca9dbca794f772caccb3

Jan Schneider noted on the oss-security list:

Packagers, please note that applying only this patch will break all forms in Horde. The changed serialization method need to be used in the Horde_Form package too. This is happening since Horde_Form 2.0.5 and introduced with this commit:
https://github.com/horde/horde/commit/acf67ab4a633037849aca9e4a7592465b999ad93

Comment 5 Vasyl Kaigorodov 2014-06-30 13:25:22 UTC

Public exploit has been posted to FullDisclosure mailing list: http://seclists.org/fulldisclosure/2014/Jun/164

Note You need to log in before you can comment on or make changes to this bug.