Vulnerabilities > CVE-2020-8866 - Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
- Privilege Abuse An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
Exploit-Db
id EDB-ID:48209 last seen 2020-03-12 modified 2020-03-11 published 2020-03-11 reporter Exploit-DB source https://www.exploit-db.com/download/48209 title Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion id EDB-ID:48210 last seen 2020-03-12 modified 2020-03-11 published 2020-03-11 reporter Exploit-DB source https://www.exploit-db.com/download/48210 title Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-A55B70B4AB.NASL description **Horde_Form 2.0.20** - [mjr] SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866, Reported By: Andrea Cardaci working with Trend Micro Zero Day Initiative). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2020-03-18 plugin id 134637 published 2020-03-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134637 title Fedora 31 : php-horde-Horde-Form (2020-a55b70b4ab) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2020-a55b70b4ab. # include("compat.inc"); if (description) { script_id(134637); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/27"); script_cve_id("CVE-2020-8866"); script_xref(name:"FEDORA", value:"2020-a55b70b4ab"); script_name(english:"Fedora 31 : php-horde-Horde-Form (2020-a55b70b4ab)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Horde_Form 2.0.20** - [mjr] SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866, Reported By: Andrea Cardaci working with Trend Micro Zero Day Initiative). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-a55b70b4ab" ); script_set_attribute( attribute:"solution", value:"Update the affected php-horde-Horde-Form package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8866"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Form"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"php-horde-Horde-Form-2.0.20-1.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-horde-Horde-Form"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2020-A69F99BC67.NASL description **Horde_Form 2.0.20** - [mjr] SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866, Reported By: Andrea Cardaci working with Trend Micro Zero Day Initiative). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2020-03-18 plugin id 134638 published 2020-03-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134638 title Fedora 30 : php-horde-Horde-Form (2020-a69f99bc67) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2020-a69f99bc67. # include("compat.inc"); if (description) { script_id(134638); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/27"); script_cve_id("CVE-2020-8866"); script_xref(name:"FEDORA", value:"2020-a69f99bc67"); script_name(english:"Fedora 30 : php-horde-Horde-Form (2020-a69f99bc67)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Horde_Form 2.0.20** - [mjr] SECURITY: Prevent ability to specify temporary filename (CVE-2020-8866, Reported By: Andrea Cardaci working with Trend Micro Zero Day Initiative). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-a69f99bc67" ); script_set_attribute( attribute:"solution", value:"Update the affected php-horde-Horde-Form package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8866"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-horde-Horde-Form"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"php-horde-Horde-Form-2.0.20-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-horde-Horde-Form"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2162.NASL description A remote code execution vulnerability was discovered in the Form API component of the Horde Application Framework. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. For Debian 8 last seen 2020-04-03 modified 2020-03-30 plugin id 134983 published 2020-03-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134983 title Debian DLA-2162-1 : php-horde-form security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2162-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(134983); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/02"); script_cve_id("CVE-2020-8866"); script_name(english:"Debian DLA-2162-1 : php-horde-form security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "A remote code execution vulnerability was discovered in the Form API component of the Horde Application Framework. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. For Debian 8 'Jessie', this problem has been fixed in version 2.0.8-2+deb8u2. We recommend that you upgrade your php-horde-form packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/php-horde-form" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected php-horde-form package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-horde-form"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"php-horde-form", reference:"2.0.8-2+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
data source https://packetstormsecurity.com/files/download/156698/exploit-phar-loading.py.txt id PACKETSTORM:156698 last seen 2020-03-14 published 2020-03-12 reporter Andrea Cardaci source https://packetstormsecurity.com/files/156698/Horde-Groupware-Webmail-Edition-5.2.22-PHAR-Loading.html title Horde Groupware Webmail Edition 5.2.22 PHAR Loading data source https://packetstormsecurity.com/files/download/156699/exploit-inc-inclusion.py.txt id PACKETSTORM:156699 last seen 2020-03-13 published 2020-03-12 reporter Andrea Cardaci source https://packetstormsecurity.com/files/156699/Horde-Groupware-Webmail-Edition-5.2.22-PHP-File-Inclusion.html title Horde Groupware Webmail Edition 5.2.22 PHP File Inclusion
References
- https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html
- https://lists.horde.org/archives/announce/2020/001288.html
- https://lists.horde.org/archives/announce/2020/001288.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-275/
- https://www.zerodayinitiative.com/advisories/ZDI-20-275/