========================================================================
= CodeScan Advisory, codescan.com <[email protected]>

= Unauthenticated Arbitrary File Read in Horde v3.09 and prior

= Vendor Website:
= http://www.horde.org

= Affected Version:
= Versions prior to and including v3.09

= Researched By
= Paul Craig <[email protected]>

= Public disclosure on March 15th, 2006

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.

During the beta testing of CodeScan PHP, Horde v3.09 was selected as
one of the test applications.

This advisory is the result of research into the security of Horde, based
on the report generated by the CodeScan tool.

CodeScan Labs has also worked with the vendor of horde to ensure future
versions of the product are secure.

== Affected Versions ==

Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this
vulnerability on Debian based servers.

== Vulnerability Details ==

In the file /services/go.php, an insecure call is made to the readfile()
function.

This can be seen in the code below.

$_GET['url'] = trim($_GET['url']);

if (get_magic_quotes_gpc()) {
$url = @parse_url(trim(stripslashes($_GET['url'])));
} else {
$url = @parse_url(trim($_GET['url']));
}

if (empty($url) || empty($url['host'])) {
exit;
}

if ((!empty($_SERVER['SERVER_NAME']) &&
$_SERVER['SERVER_NAME'] == $url['host']) ||
(!empty($_SERVER['HTTP_HOST']) &&
$_SERVER['HTTP_HOST'] == $url['host'])) {

…

// Pass through image content if requested.
if (!empty($_GET['untrusted'])) {
readfile($_GET['url']);
exit;

Calls to parse_url attempt to sanitise the input through
the requirement of an http:// type string.

Embedding a NULL character within the URL variable enables
an attacker to control the variable passed to readfile()
leading to the reading of any file on the file system with
the privileges of the web server.

== Solutions ==

CodeScan Labs has been in contact with Horde and a new version of
the software has been released to address the discovered
vulnerability.

Users are advised to upgrade to version 3.1
ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz

== Credit ==

Discovered and advised to Horde 4th March, 2006 by Paul Craig of
Security-Assessment.com

== About CodeScan Labs Ltd ==

CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP
and PHP(Beta)

== About Security-Assessment.com ==

Security-Assessment.com is Australasia's only pure play security
company, specialising in security audit, assurance and advice services.
Assisting large and medium size Enterprises who require true independent
measurement of their security compliance at all levels.

e-mail protected and scanned by Bizo Email Filter - powered by Advascan