CVE-2019-9858

Name of the Vulnerable Software and Affected Versions Horde Groupware Webmail versions 5.2.17 through 5.2.22

Description A remote code execution issue was discovered, related to the handling of image uploads in forms. The Horde Form Type image class in Horde/Form/Type.php contains a vulnerability that allows an attacker to manipulate the file path used to save uploaded images. This is due to the use of unsanitized user input from the object[photo][img][file] POST parameter, which is stored in the $upload[img][file] PHP variable. An attacker can exploit this by setting the parameter to a malicious path, such as ../usr/share/horde/static/bd.php, allowing them to write a PHP backdoor inside the web root. The static/ destination folder is a potential target because it is typically writable in Horde installations.

Recommendations For versions 5.2.17 through 5.2.22, consider disabling the Horde Form Type image class or restricting access to the onSubmit() method until a patch is available. Additionally, restrict write access to the static/ destination folder to minimize the risk of exploitation. Avoid using the object[photo][img][file] parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.