PT-2026-56217 · Packagist · Egroupware/Egroupware

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-45016

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

The function processes image URLs embedded in an HTML email body without validating or restricting URI schemes. The check !str starts with($myUrl, 'http') evaluates to true for file:// URIs, causing file get contents($basedir . urldecode($myUrl)) to read arbitrary files from the server filesystem and embed them as inline MIME attachments in outgoing email.
str starts with('file:///etc/passwd', 'http') → false !false → true
php
// api/src/Mail.php 
foreach($images[2] as $i => $url)
			{
				//$isData = false;
				$basedir = $data = '';
				$needTempFile = true;
				$attachmentData = ['name' => '', 'type' => '', 'file' => '', 'tmp name' => ''];
				try
				{
					// do not change urls for absolute images (thanks to corvuscorax)
					if (!str starts with($url, 'data:'))
					{
						$attachmentData['name'] = basename($url); // need to resolve all sort of url
						if (($directory = dirname($url)) == '.') $directory = '';
						$ext = pathinfo($attachmentData['name'], PATHINFO EXTENSION);
						$attachmentData['type'] = MimeMagic::ext2mime($ext);
						if ( strlen($directory) > 1 && !str ends with($directory, '/')) { $directory .= '/'; }
..
...
....
// processURL2InlineImages function
if ( $myUrl[0]!='/' && strlen($basedir) > 1 && !str ends with($basedir, '/')) { $basedir .= '/'; }
						if ($needTempFile && empty($attachment) && !str starts with($myUrl, "http"))
						{
							try {
								$data = file get contents($basedir.urldecode($myUrl));
							}
							catch (Throwable $e) {
								 egw log exception($e);
							}
						}
					}
					if (str starts with($url, 'data:'))

PoC

  1. Log in as any authenticated EGroupware user with mail access and open the mail compose window.
  2. Switch to HTML body mode and insert: <img src="file:///etc/passwd">.
  3. The server executes file get contents('file:///etc/passwd'), writes the content to a temp file, and attaches it as an inline MIME part.

Impact

An authenticated attacker can read arbitrary files accessible by the web server process, including /etc/passwd, application configuration files containing database credentials, private TLS keys, and environment files.

Remediation

Enforce a strict URI scheme allowlist before calling file get contents(). Replace the check !str starts with($myUrl, 'http') with if (!preg match('#^https?://#i', $myUrl)) { continue; } to reject file://, ftp://, php://, data://, and any other non-HTTP scheme.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-45016
GHSA-C8M7-R2JV-RW63

Produtos afetados

Egroupware/Egroupware