{"id":9674,"date":"2017-10-03T14:19:08","date_gmt":"2017-10-03T22:19:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/03\/news-3447\/"},"modified":"2017-10-03T14:19:08","modified_gmt":"2017-10-03T22:19:08","slug":"news-3447","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/03\/news-3447\/","title":{"rendered":"SSD Advisory \u2013 Horde Groupware Unauthorized File Download"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 03 Oct 2017 12:14:16 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3454\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3454');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21.<\/p>\n<p>Horde Groupware Webmail Edition is &#8220;a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Juan Pablo Lopez Yacubian, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Horde Groupware was informed of the vulnerability, to which they response with:<br \/> &#8220;this has already been reported earlier by someone else, and is already fixed in the latest Gollem and Horde Groupware releases.<\/p>\n<p>Besides that, it&#8217;s not sufficient to have a list of the server&#8217;s users, you also need to exactly know the file name and path that you want to download. Finally, this only works on certain backends, where Horde alone is responsible for authentication, i.e. it won&#8217;t work with backends that require explicit authentication.&#8221;<\/p>\n<p><span id=\"more-3454\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized when passed to File Manager (gollem) module (version 3.0.11).<\/p>\n<p>The &#8220;fn&#8221; parameter does not validate certain met characters by causing the requested file or filesystem to be downloaded without credentials.<\/p>\n<p>It is only necessary to know the username and the file name.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59d40cdbd04c0612584427\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> User = this is the username in horde  \/ = the Meta character \/  \/services\/download\/?app=gollem&amp;dir=%2Fhome%2Fuser&amp;backend=sqlhome&amp;fn=\/test.php<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2.png\" data-slb-active=\"1\" data-slb-asset=\"2080077003\" data-slb-internal=\"0\" data-slb-group=\"3454\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2-300x171.png\" alt=\"\" width=\"300\" height=\"171\" class=\"alignnone size-medium wp-image-3455\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2-300x171.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2-768x437.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2-1024x582.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2.png 1280w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1.png\" data-slb-active=\"1\" data-slb-asset=\"377147863\" data-slb-internal=\"0\" data-slb-group=\"3454\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1-300x171.png\" alt=\"\" width=\"300\" height=\"171\" class=\"alignnone size-medium wp-image-3456\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1-300x171.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1-768x437.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1-1024x582.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot1.png 1280w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3454\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/10\/snapshot2-300x171.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 03 Oct 2017 12:14:16 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21. Horde Groupware Webmail Edition is &#8220;a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3454\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Horde Groupware Unauthorized File Download<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11591,10757,12136],"class_list":["post-9674","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-file-disclosure","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9674"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9674\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9674"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}