NVD Vulnerability Detail

CVE-2019-9858

Summary	Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)
Publication Date	May 30, 2019, 2:29 a.m.
Registration Date	Jan. 26, 2021, 11:45 a.m.
Last Update	Nov. 21, 2024, 1:52 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:horde:groupware:5.2.17::::webmail:::
cpe:2.3:a:horde:groupware:5.2.22::::webmail:::

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html	Exploit Third Party Advisory VDB Entry
2	https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html	Mailing List Third Party Advisory
3	https://seclists.org/bugtraq/2019/Jun/31	Mailing List Third Party Advisory
4	https://ssd-disclosure.com/?p=3814&preview=true	Exploit Third Party Advisory
5	https://www.debian.org/security/2019/dsa-4468	Third Party Advisory
6	http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html	Exploit Third Party Advisory VDB Entry
7	https://www.debian.org/security/2019/dsa-4468	Third Party Advisory
8	https://ssd-disclosure.com/?p=3814&preview=true	Exploit Third Party Advisory
9	https://seclists.org/bugtraq/2019/Jun/31	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html	Mailing List Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Horde Groupware Webmail におけるコードインジェクションの脆弱性

Title	Horde Groupware Webmail におけるコードインジェクションの脆弱性
Summary	Horde Groupware Webmail には、コードインジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 24, 2019, midnight
Registration Date	June 12, 2019, 5:43 p.m.
Last Update	June 12, 2019, 5:43 p.m.

Affected System

Horde

Horde Groupware 5.2.17 (Webmail)

Horde Groupware 5.2.22 (Webmail)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-9858	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858
National Vulnerability Database (NVD)
2	CVE-2019-9858	https://nvd.nist.gov/vuln/detail/CVE-2019-9858

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-94	https://jvndb.jvn.jp/ja/cwe/CWE-94.html

ベンダー情報

No	Name	URL
Horde
1	Webmail	https://www.horde.org/apps/webmail

その他

No	Name	URL
関連文書
1	SSD Advisory - Horde Groupware Webmail Authenticated Arbitrary File Injection to RCE	https://ssd-disclosure.com/archives/3814/ssd-advisory-horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce

Change Log

No	Changed Details	Date of change
1	[2019年06月12日] 掲載	June 12, 2019, 5:43 p.m.