CVE-2019-9858: Path Traversal
First published: Wed May 29 2019(Updated: )
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/php-horde-form | 2.0.18-3.1+deb10u1 2.0.20-2 | |
| debian/php-horde-form | <=2.0.18-3<=2.0.15-1 | 2.0.18-3.1 2.0.15-1+deb9u1 |
| Horde Groupware | =5.2.17 | |
| Horde Groupware | =5.2.22 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ssd-disclosure.com/archives/3814/ssd-advisory-horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce
- https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e
- https://security-tracker.debian.org/tracker/CVE-2019-9858
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930321
- http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html
- https://seclists.org/bugtraq/2019/Jun/31
- https://ssd-disclosure.com/?p=3814&preview=true
- https://www.debian.org/security/2019/dsa-4468
Frequently Asked Questions
What is CVE-2019-9858?
CVE-2019-9858 is a vulnerability that allows remote code execution in Horde Groupware Webmail 5.2.22 and 5.2.17.
How does CVE-2019-9858 work?
CVE-2019-9858 works by exploiting a vulnerable class in Horde/Form/Type.php that handles image upload in forms.
What is the severity of CVE-2019-9858?
CVE-2019-9858 has a severity rating of 8.8 (high).
How do I fix CVE-2019-9858?
To fix CVE-2019-9858, update your installation to Horde Groupware Webmail version 5.2.22 or 5.2.17, or apply the appropriate patches provided by Debian.
Where can I find more information about CVE-2019-9858?
You can find more information about CVE-2019-9858 on Packet Storm Security, Debian LTS Announce, and Bugtraq mailing list.
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2019-9858
- collector/nvd-index
- package-manager/debian
- vendor/horde
- canonical/horde groupware
- version/horde groupware/5.2.17
- version/horde groupware/5.2.22
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0