The unsanitized post parameter object[photo][img][file]
is saved in the $upload['img']['file']
php variable, allowing an attacker to manipulate the $tmp_file
passed to move_uploaded_file()
to save the uploaded file.
Set the parameter to e.g. ../usr/share/horde/static/bd.php
to write a php backdoor inside the web root. the static/
destination folder is a good candidate to drop the backdoor because is always writable in horde installations.
The unsanitized POST parameter went probably unnoticed because it’s never submitted by the forms which default to securely use a random path.
New Contact
view via Address Book
in the menu.Fill the mandatory fields submitting the PHP backdoor in the Photo
file field. The file name is irrelevant.
Click the Add button and intercept the outgoing HTTP request using Burp Suite. You should see the POST data including the uploaded PHP backdoor.
object[photo][img][file]
with the path to traverse the temporary folder and save the PHP backdoor under under the static/
folder. Two path traversals have been found working in different installations: ./usr/share/horde/static/bd.php
, working with Horde installed with apt-get
./var/www/html/horde/static/bd.php
, working with Horde manually installed with PEARUse the uploaded PHP file to execute arbitrary commands.
Install the module under ~/.msf4/modules/exploits/multi/http/horde_form_file_upload.rb
.
Update Horde Form subcomponent to the version 2.0.19 or later.