The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Horde Kronolith Arbitrary Local File Inclusion Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.horde.org/kronolith/> Kronolith is "a web-based calendar
system written in PHP and utilizing the Horde Application Framework. It is
generally installed along side Horde's IMP web mail product". Remote
exploitation of a design error in Horde's Kronolith could allow an
authenticated web mail user to execute arbitrary PHP code under the
security context of the running Web server.
DETAILS
Vulnerable Systems:
* Horde Kronolith versions 2.0.1 through 2.1.3
Immune Systems:
* Horde Kronolith version 2.0.7
* Horde Kronolith version 2.1.4
The vulnerability specifically exists due to a design error in the way it
includes certain files. Specifically, the 'lib/FBView.php' file contains a
function 'Kronolith_FreeBusy_View::factory' which will include local files
that are supplied via the 'view' HTTP GET request parameter. An excerpt
from the code follows:
177 function &factory($view)
178 {
179 $driver = basename($view);
180 require_once dirname(__FILE__) . '/FBView/' . $view . '.php';
As you can see on line 179, input validation was done. However the
resulting string was not used on line 180. Instead the unfiltered variable
coming directly from the attacker is used. By utilizing directory
traversal specifiers and null bytes, an attacker can trivially cause files
stored on the Web server to be parsed as PHP code.
Analysis:
Successful exploitation could allow an attacker to include an arbitrary
local file on the affected host. Due to the lack of input validation on
$GET_['view'], directory traversal specifiers could be utilized to parse
any file on the system as PHP code.
Vendor response:
The Horde core team has addressed this vulnerability in versions 2.0.7 and
2.1.4 of Kronolith.
Disclosure Timeline:
11/21/2006 - Initial vendor notification
11/21/2006 - Initial vendor response
11/29/2006 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=445>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=445
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
