Summary
The host is running Horde and is prone to local file inclusion vulnerability.
Impact
Successful exploitation will allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
Impact Level: Application
Solution
Upgarade to Horde 3.2.4 or 3.3.3 and Horde Groupware 1.1.5.
For updates refer to http://www.horde.org/download/
Insight
The flaw is caused by improper validation of user-supplied input to the 'driver' argument of the 'Horde_Image::factory' method before using it to include PHP code in 'lib/Horde/Image.php'.
Affected
Horde versions before 3.2.4 and 3.3.3
Horde Groupware versions before 1.1.5
References
Severity
Classification
-
CVE CVE-2009-0932 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Apache ActiveMQ Source Code Information Disclosure Vulnerability
- 11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
- AdaptCMS 'init.php' Remote File Include Vulnerability
- Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
- Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14