It was found that certain, user-supplied form input was unserialized by Horde. A remote attacker could use this flaw to execute arbitrary code. It was reported[1] that this issue affects at least versions 3.1.x to 5.1.1. This issue has already been fixed in php-horde-Horde-Util for Fedora and EPEL. [1] http://seclists.org/oss-sec/2014/q1/153 Upstream commit: https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 Note that this issue also affects the horde package. There, it is in the Variables class (different from the above github commit): 21 class Variables { 22 23 var $_vars; 24 var $_expectedVariables = array(); 25 26 function Variables($vars = array()) 27 { 28 if (is_null($vars)) { 29 $vars = Util::dispelMagicQuotes($_REQUEST); 30 } 31 if (isset($vars['_formvars'])) { 32 $this->_expectedVariables = @unserialize($vars['_formvars']); 33 unset($vars['_formvars']); 34 } 35 $this->_vars = $vars;
Created horde tracking bugs for this issue: Affects: fedora-all [bug 1059001] Affects: epel-all [bug 1059003]
I do not know the difference between php-horde-Horde-Util and horde. Mailed oss-sec in case another CVE or anything is needed: http://www.openwall.com/lists/oss-security/2014/01/29/1
FYI: "horde" is the old application (version 3) build from a single tarball (but still available in the repository) horde is now distributed via a pear channel and split in ~100 packages. php-pear-Horde-Util 2.3.0 (with this fix) is already in the repository (but not yet used as pear-horde-horde 5.1.5 is still under review).
> Upstream commit: > > https://github.com/horde/horde/commit/ > da6afc7e9f4e290f782eca9dbca794f772caccb3 Jan Schneider noted on the oss-security list: Packagers, please note that applying only this patch will break all forms in Horde. The changed serialization method need to be used in the Horde_Form package too. This is happening since Horde_Form 2.0.5 and introduced with this commit: https://github.com/horde/horde/commit/acf67ab4a633037849aca9e4a7592465b999ad93
Public exploit has been posted to FullDisclosure mailing list: http://seclists.org/fulldisclosure/2014/Jun/164