Source: php-horde-form Version: 2.0.18-3 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerability was published for php-horde-form. CVE-2019-9858[0]: | Remote code execution was discovered in Horde Groupware Webmail 5.2.22 | and 5.2.17. Horde/Form/Type.php contains a vulnerable class that | handles image upload in forms. When the Horde_Form_Type_image method | onSubmit() is called on uploads, it invokes the functions getImage() | and _getUpload(), which uses unsanitized user input as a path to save | the image. The unsanitized POST parameter object[photo][img][file] is | saved in the $upload[img][file] PHP variable, allowing an attacker to | manipulate the $tmp_file passed to move_uploaded_file() to save the | uploaded file. By setting the parameter to (for example) | ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside | the web root. The static/ destination folder is a good candidate to | drop the backdoor because it is always writable in Horde | installations. (The unsanitized POST parameter went probably unnoticed | because it's never submitted by the forms, which default to securely | using a random path.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858 [1] https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e Please adjust the affected versions in the BTS as needed. Regards, Salvatore