The branch "master" has been updated. The following is a summary of the commits.
from: f7672ebc89530aa2f201b0f9bb66c9e7477e77b1 eb3afd1 Fix RCE in _raw() via $index parameter. 3afdce9 [jan] SECURITY: Fix remote code execution vulnerability in Im driver (Thomas Jarosch <[email protected]>. Summary: http://github.com/horde/horde/compare/f7672ebc89530aa2f201b0f9bb66c9e7477e77b1...3afdce9d40d8a0e5c30f711ddf7cb24850751e52 ----------------------------------------------------------------------- commit eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b Author: Thomas Jarosch <[email protected]> Date: Fri Sep 15 15:45:55 2017 +0200 Fix RCE in _raw() via $index parameter. $index is passed down from getImageAtIndex($index). Luckily the only official horde code calling it is the PDF preview code with a fixed index of 0. Still code from third party vendors using the Horde framework libs might expose getImageAtIndex() to the web. PoC: ---------------- <?php $options = array('index' => "5'$(ls -al )'"); $max_pages = 10; // php fun: implicit conversion to integer if ($options['index'] < $max_pages) { // _raw() call in Im.php might look like // /usr/bin/convert "/tmp/img1URPsC"'[0]' -strip png:"/tmp/img0NgHfI" echo exec('echo \'[' . $options['index'] . ']\' '); } ?> ---------------- Signed-off-by: Thomas Jarosch <[email protected]> Signed-off-by: Jan Schneider <[email protected]> framework/Image/lib/Horde/Image/Im.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) http://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b ----------------------------------------------------------------------- commit 3afdce9d40d8a0e5c30f711ddf7cb24850751e52 Author: Jan Schneider <[email protected]> Date: Tue Sep 19 18:06:03 2017 +0200 [jan] SECURITY: Fix remote code execution vulnerability in Im driver (Thomas Jarosch <[email protected]>. framework/Image/package.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) http://github.com/horde/horde/commit/3afdce9d40d8a0e5c30f711ddf7cb24850751e52 -- commits mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: [email protected]
