-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Horde Application Framework Horde_Form_Type_image Arbitrary File Overwrite Vulnerability Release Date: 2009/09/18 Last Modified: 2009/09/18 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Horde Application Framework <= 3.2.4 Severity: PHP applications using the Horde_Form_Type_image form element can be tricked into overwriting arbitrary files writable by the webserver which might result in PHP remote code execution Risk: High Vendor Status: Horde 3.2.5 was released which fixes this vulnerability Reference: http://www.sektioneins.de/advisories/SE-2009-01.txt Overview: Quote from http://www.horde.org "The Horde Application Framework is a general-purpose web application framework in PHP, providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME handling, and more." During an audit of a PHP web application which is based on the Horde Application Framework it was discovered that form elements of the type Horde_Form_Type_image trust a user supplied temporary filename which allows to create or overwrite arbitrary files with the permissions of the webserver. By overwriting writable files within the document root like the Horde configuration file, or by creating new files within writable parts of the document root directory tree it is possible to upload arbitrary PHP files and execute them which obviously leads to the execution of arbitrary PHP code. Details: Within the Horde Application Framework a special kind of form element exists that handles image file uploads. This form element if for example used within the Turba address book application. These form elements usually move the uploaded image to some temporary file with a random name and verify that the file is indeed an image. Furthermore the Horde_Form_Type_image form element contains a feature that is meant to allow reusing the same temporary filename on reuploads. In order to support this the previously used temporary filename is stored inside hidden form fields and which is then trusted during upload processing. /* Get any existing values for the image upload field. */ $upload = $vars->get($var->getVarName()); $upload['img'] = @unserialize($upload['img']); /* Get the temp file if already one uploaded, otherwise create a * new temporary file. */ if (!empty($upload['img']['file'])) { $tmp_file = Horde::getTempDir() . '/' . $upload['img']['file']; } else { $tmp_file = Horde::getTempFile('Horde', false); } /* Move the browser created temp file to the new temp file. */ move_uploaded_file($this->_img['file'], $tmp_file); $this->_img['file'] = basename($tmp_file); The code snippet above demonstrates how the previously used temporary filename is extracted from the user supplied serialized array and then used as new temporary filename. It should be obvious that this allows writing to any writable file on the webserver. Additionally the code only remembers the basename() of the filename which does not contain the path. Therefore the later attempt to delete invalid images fails. Aside from the file overwrite problem the second problem is that the PHP function unserialize() is used on user supplied input which can be used for other things like crashing PHP through deeply nested array structures. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 24. July 2009 - Notified security@horde.org 14. September 2009 - Horde developers released Horde 3.2.5 18. September 2009 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of Horde Application Framework which also fixes additional bugs reported by third parties. Grab your copy at: http://ftp.horde.org/pub/horde/horde-3.2.5.tar.gz CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3236 to this vulnerability. GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2009 SektionEins GmbH. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqznUQACgkQSuF5XhWr2nhJPACfZutQFErGy7q/1UhgaVe/EJ5m IaUAn06dzJLfEQaJsO8oJJAukoMz0BHZ =wtnl -----END PGP SIGNATURE-----