This Week in Safety: For the Horde, Don’t File a Bug and Confluence


If you go back in the history of open source webmail projects, you will find Horde, a collaborative web application. First released in 1998 on Freshmeat, it gained some notoriety in early 2012 when it was discovered that version 3.0 had been tampered with and packages containing a backdoor had been shipped for three months. Although this time it’s not an intentional backdoor, there is a very serious problem in the Horde webmail interface. Or more precisely, a pair of problems. The most serious is CVE-2022-30287, an RCE bug allowing an authenticated user to trigger code execution on the connected server.

The vulnerable element is the Turba address book module, which uses a PHP factory method to access a specific address book. The create() The method has an interesting piece of code, which first checks the initialization value. If it is a string, this value is understood as the name of the local address book to access. However, if the factory is initialized with an array, any address book driver can be used, including the IMSP driver. IMSP retrieves serialized data from remote servers and deserializes it. And yes, PHP can have deserialization bugs, and this one executes code on the host.

But that’s not so bad, those are only authenticated users, right? That would be bad enough, but this second bug is a cross-site request forgery, CSRF, triggered by viewing an email. Thus, on a vulnerable Horde server, any user viewing a malicious message would trigger RCE on the server. Phew. So let’s talk fixes. There’s a new version of the Turba mod that appears to fix the bugs, but it’s unclear if the current Horde sequel has pushed an update that includes it. So you can be alone. As noted on the Sonar blog where the vulnerability was discovered, Horde itself appears to be essentially unmaintained at this point. It might be time to consider migrating to a new platform.

Vulnerability or functionality?

The slowdown continues in Microsoft’s handling of Follina. There is another similar problem: dog walk. It’s not as bad as Follina, this one is a problem in the .diagcab handling. The cab can point to an XML file on a remote WebDAV server, and the returned files bypass normal checks for unauthorized filenames. So for example, ..............AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmalicious.exe is created, with disastrous foreseeable consequences.

Now, is this a vulnerability? Well, on the one hand, it is a file downloaded from the Internet that the user has intentionally opened. On the other hand, it is not an executable and should not execute arbitrary code. A web browser will happily download and let a user execute the potentially malicious file. It’s not a 10.0, but it looks like a vulnerability. Microsoft declined to issue a CVE, similar to its initial handling of Follina, which is still an unpatched 0-day vulnerability exploited in the wild. We could assume that Microsoft received a national security letter regarding the bug, but that’s an extremely unlikely scenario.

The other vulnerability that didn’t exist

Or maybe it’s a vulnerability. You decide. The Formidable Library is a Node.js library for parsing form data, including file uploads. The vulnerability is CVE-2022-29622, an arbitrary file upload issue. You can already see the controversy there. File upload library allows arbitrary uploads – by design. It’s literally a feature of the library. So, was the whole vulnerability report, with a score of 9.8, totally rubbish? Well no, there’s actually a bug – or at least a feature that doesn’t always work as expected.

When you use Formidable to perform a file download, it replaces the name with a random hex string. There is an option to keep the file extension, so if you upload example.txtyou get a file named 84d38f5e070c248df3cdccc00.txt on the server. The problem is which part of the filename is considered the extension. Everything after the first period was counted as an extension, meaning if you downloaded a file named test.pdf.jqlnn⟨img src=""⟩.pngyou get a file named randomstring.pdf.jqlnn⟨img src=""⟩.png. If you relied on this arrangement to clean up the uploaded file name, you might get an XSS or even an RCE for your problem. But this is not a vulnerability in Formidable.

It is the argument that [Zsolt Imre] made in his analysis of the questionand extra defense. The real kicker is that the rushed solution introduces a problem at least as serious like the one he was trying to fix.

Confluence under exploitation

Atlassian’s Confluence has an unauthenticated critical RCE that is exploited in the wild. Volexity researchers broke the story after investigating a pair of compromised servers. Samples of the attack were captured in various honeypots, and it looks like a simple feat. Due to the nature of confluence servers, this issue has the potential to have follow-on effects, resulting from attackers intruding into developer networks.

Bits and Bytes

How scary is it to expose RDP to the internet? For those old Linux hands, scarier than exposing SSHD. They registered almost 40,000 attempts after 4 days, most of them for the administrator account. It was also interesting to note the number of attacks originating from a pair of network blocks, and, both belonging to Flyserver.

The SSNDOB Marketplace has been taken offline, after more than 10 years of operation. It was the group probably behind the crushing attack on Brian Krebs. The only unfortunate part of it is that there were no arrests in connection with the takedown.


Comments are closed.