The unsanitized post parameter
object[photo][img][file] is saved in the
$upload['img']['file'] php variable, allowing an attacker to manipulate the
$tmp_file passed to
move_uploaded_file() to save the uploaded file.
Set the parameter to e.g.
../usr/share/horde/static/bd.php to write a php backdoor inside the web root. the
static/ destination folder is a good candidate to drop the backdoor because is always writable in horde installations.
The unsanitized POST parameter went probably unnoticed because it’s never submitted by the forms which default to securely use a random path.
New Contact view via
Address Book in the menu.
Fill the mandatory fields submitting the PHP backdoor in the
Photo file field. The file name is irrelevant.
Click the Add button and intercept the outgoing HTTP request using Burp Suite. You should see the POST data including the uploaded PHP backdoor.
object[photo][img][file] with the path to traverse the temporary folder and save the PHP backdoor under under the
static/ folder. Two path traversals have been found working in different installations:
./usr/share/horde/static/bd.php, working with Horde installed with
./var/www/html/horde/static/bd.php, working with Horde manually installed with PEAR
Use the uploaded PHP file to execute arbitrary commands.
Install the module under
Update Horde Form subcomponent to the version 2.0.19 or later.