Operating System:

[Win][UNIX/Linux]

Published:

13 February 2012

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ASB-2012.0022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0022
         Multiple vulnerabilities in Horde Groupware, IMP H4, and
                        Groupware Webmail Edition.
                             14 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Horde Groupware
                      Horde IMP H4
                      Horde Groupware Webmail Edition
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Cross-site Scripting            -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-0791 CVE-2012-0209 
Member content until: Thursday, March 15 2012

OVERVIEW

        A vulnerability has been fixed in Horde Groupware 1.2.11 and
        multiple vulnerabilities in Horde IMP H4 5.0.18, and Horde
        Groupware Webmail Edition 1.2.11 and 4.0.6. [1][2][3][4]


IMPACT

        The Horde Team has provided the following details regarding
        vulnerability CVE-2012-0209: [5]
        
        "A few days ago we became aware of a manipulated file on our FTP  
        server. Upon further investigation we discovered that the server has  
        been hacked earlier, and three releases have been manipulated to allow  
        unauthenticated remote PHP execution.
        
        We have immediately taken down all distribution servers to further
        analyze the extent of this incident, and we have worked closely with
        various Linux distributions to coordinate our response.
        
        Since then the FTP and PEAR servers have been replaced and further  
        secured. Clean versions of our releases have been uploaded.
        
        .. no Horde 4 releases were compromised. Our CVS and Git repositories are not  
        affected either. Linux distributions that are affected will notify and  
        provide security releases individually."
        
        The National Vulnerability database has the following information on
        vulnerability CVE-2012-0791: [6]
        
        "Multiple cross-site scripting (XSS) vulnerabilities... allow remote
        attackers to inject arbitrary web script or HTML via the (1)
        composeCache, (2) rtemode, or (3) filename_* parameters to the compose
        page; (4) formname parameter to the contacts popup window; or (5) IMAP
        mailbox names."


MITIGATION

        Users should upgrade to the latest versions of these products.


REFERENCES

        [1] Horde Groupware 1.2.11 (final)
            http://lists.horde.org/archives/announce/2012/000749.html

        [2] IMP H4 (5.0.18) (final)
            http://lists.horde.org/archives/announce/2012/000737.html

        [3] Horde Groupware Webmail Edition 1.2.11 (final)
            http://lists.horde.org/archives/announce/2012/000750.html

        [4] Horde Groupware Webmail Edition 4.0.6 (final)
            http://lists.horde.org/archives/announce/2012/000741.html

        [5] Remote execution backdoor after server hack (CVE-2012-0209)
            http://lists.horde.org/archives/announce/2012/000751.html

        [6] Vulnerability Summary for CVE-2012-0791
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0791

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTznNiO4yVqjM2NGpAQLuLxAAhQUrblTKGK+TKQQhrorlvPcpwNJfSs5Z
m7lhYr9SiQuv0C0EDCKNCi1rvIQqSpE0guQSJsGnnCzfgMkQboGfMhvXHirbccB+
u5FXjasAoEHkUb/rSee/0gumoZY23+cs+eRpENrrDS62DNRboujVR+10N7fpSt3a
W56+eCQO44lAg+yu0icPR9cNECmMz8bN+brAc4NIFXBMssmWvLe4abOr9xxoTu8D
Za5kBRHLUvGwL/RXh1AuKaJJcX+6T28qx+RWQZBuiSpsI+6G3b9zn+nQwVk+e2P5
jyAbeB17aDhIPJTXl2YfMsNonKtvFEB2eKAxRvuJd1bhoDMx/fsy7GyShv2m624K
FeMF+pTyZM1gK41PcKGQu2lBxmZtCghYrF+STbFKcwDTNKkEpdPuubK5EL9KskzU
pANIAhqtVzm6CJGut7iB9z6P2kJuF7W7E7IF0hSmHnNqfogHsG4SJCJFLaaeCHmy
HWdqRfM9+TEejY9Lq1N/tdyUgMFGlHTz53akuysKyrFEp3ZBfE2EBPY5lGfko90k
6lDMXsV0+WntvsrpSFj1LCvHR8wlWAzLk4UG1+QY9bCePJlyOskr1xyZ8NaQfTBn
56Px924TlBIc5KEuDy8tpgorinFwrcxWSd+1jShbUHZUH4NVezFHTlvddW77wcO5
juQfKEab1Zc=
=XLPf
-----END PGP SIGNATURE-----