SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Horde_Form_Type_image Arbitrary File Overwrite Vulnerability
Release Date: 2009/09/18
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Horde Application Framework <= 3.2.4
Severity: PHP applications using the Horde_Form_Type_image form
element can be tricked into overwriting arbitrary files
writable by the webserver which might result in PHP
remote code execution
Risk: High
Vendor Status: Horde 3.2.5 was released which fixes this vulnerability
Reference: http://www.sektioneins.de/advisories/SE-2009-01.txt
Overview:
Quote from http://www.horde.org
"The Horde Application Framework is a general-purpose web application
framework in PHP, providing classes for dealing with preferences,
compression, browser detection, connection tracking, MIME handling,
and more."
During an audit of a PHP web application which is based on the Horde
Application Framework it was discovered that form elements of the type
Horde_Form_Type_image trust a user supplied temporary filename which
allows to create or overwrite arbitrary files with the permissions
of the webserver.
By overwriting writable files within the document root like the Horde
configuration file, or by creating new files within writable parts of
the document root directory tree it is possible to upload arbitrary
PHP files and execute them which obviously leads to the execution of
arbitrary PHP code.
Details:
Within the Horde Application Framework a special kind of form element
exists that handles image file uploads. This form element if for
example used within the Turba address book application. These form
elements usually move the uploaded image to some temporary file with
a random name and verify that the file is indeed an image.
Furthermore the Horde_Form_Type_image form element contains a feature
that is meant to allow reusing the same temporary filename on reuploads.
In order to support this the previously used temporary filename is
stored inside hidden form fields and which is then trusted during
upload processing.
/* Get any existing values for the image upload field. */
$upload = $vars->get($var->getVarName());
$upload['img'] = @unserialize($upload['img']);
/* Get the temp file if already one uploaded, otherwise create a
* new temporary file. */
if (!empty($upload['img']['file'])) {
$tmp_file = Horde::getTempDir() . '/' . $upload['img']['file'];
} else {
$tmp_file = Horde::getTempFile('Horde', false);
}
/* Move the browser created temp file to the new temp file. */
move_uploaded_file($this->_img['file'], $tmp_file);
$this->_img['file'] = basename($tmp_file);
The code snippet above demonstrates how the previously used temporary
filename is extracted from the user supplied serialized array and then
used as new temporary filename. It should be obvious that this allows
writing to any writable file on the webserver. Additionally the code
only remembers the basename() of the filename which does not contain
the path. Therefore the later attempt to delete invalid images fails.
Aside from the file overwrite problem the second problem is that the
PHP function unserialize() is used on user supplied input which can
be used for other things like crashing PHP through deeply nested array
structures.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
Disclosure Timeline:
24. July 2009 - Notified security@horde.org
14. September 2009 - Horde developers released Horde 3.2.5
18. September 2009 - Public Disclosure
Recommendation:
It is recommended to upgrade to the latest version of Horde
Application Framework which also fixes additional bugs reported by
third parties.
Grab your copy at:
http://ftp.horde.org/pub/horde/horde-3.2.5.tar.gz
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2009-3236 to this vulnerability.
GPG-Key:
pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
Copyright 2009 SektionEins GmbH. All rights reserved.