[UNIX] Horde Project Cleanup Script Arbitrary File Deletion Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Horde Project Cleanup Script Arbitrary File Deletion Vulnerability
------------------------------------------------------------------------


SUMMARY

The <http://www.horde.org/> Horde Project provides "a PHP-based
framework, as well as applications for web-based group collaboration. IMP
is their web-mail application". Local exploitation of an input processing
vulnerability within Horde Project's Horde and IMP allows attackers to
delete arbitrary files.

DETAILS

Vulnerable Systems:
* Horde Framework; versions 3.0, 3.0.4, and 3.1.3
* Horde IMP; versions 2.0.8, 2.0.9, 2.2.8, 2.3.6, 3.0, 3.1, 3.2.1, 3.2.6,
and 3.2.8

* The cleanup script was originally contained within the IMP package. The
script was moved into the Horde Framework with the release of Horde
Framework (H3) 3.0.

Immune Systems:
* Horde Framework version 3.1.4

The vulnerability specifically exists due to the improper handling of the
output from an execution of find(1). The output from find(1) is passed
directly to a "for X in Y; do" as the Y value. Since the Y value is
delimited by spaces, the for loop will process files containing spaces in
their path as separate files. An attacker can create a file path
containing spaces to manipulate the output from find(1).

For example, creating the file "/tmp/x /etc/passwd /tmp/mswordx", the
following files will be deleted by the cron script; "/tmp/x",
"/etc/passwd", and "/tmp/mswordx".

Analysis:
Exploitation allows attackers to delete arbitrary files with the
privileges of the user configured to run the cron script. Since a
specially created path must be created on the local file system, local
access is required.

In some cases this script may be installed to run as root. If installed
with lesser privileges, such as that of the web server, this vulnerability
is not quite as severe.

By deleting arbitrary files an attacker could possibly remove access
controls, deny access to the system, or reset configurations. In some
cases, it may be possible for an attacker to gain elevated privileges from
this vulnerability.

Workaround:
Disabling the vulnerable cron script will effectively prevent exploitation
of this vulnerability.

Vendor response:
The Horde Project has corrected the vulnerable cron script within version
3.1.4 of the Horde Application Framework.

Disclosure timeline:
03/07/2007 - Initial vendor notification
03/07/2007 - Initial vendor response
03/15/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=489>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=489



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages