Something for IT - Linux, security and programming

Horde 3.0.5 / Plesk 7.5.4 Exploit

August 13th, 2006

Running a check on Apache’s default logs (/var/log/httpd/access_log), I found attempts to exploit the server thru a “backdoor” in Horde.

I haven’t fully checked what could be done with this exploit but certainly leaving the affected script unprotected is an open invitation for trouble.

To check it, just request the following to any webmail domain on your server (the following check if completely harmless as it will only run uname -a and show it’s results on the browser):

http://webmail.yourserver.com///horde//services/help/index.php?show=about&module=;%22.passthru(%22uname%20-a%22);’.

With some imagination and careful URL encoding, you can get commands to be executed under Apache’s account and privileges.

What I’ve done until further investigation is performed, is to modify the affected script so that nothing happens when the script is called (so far seems like the only downside is Horde’s Help system not working).

The affected script is index.php, located at /usr/share/psa-horde/services/help.

For some debugging, I’ve included the following code right before Horde’s code:

<?php
$request = print_r($_REQUEST, true);
$server = print_r($_SERVER, true);
mail("youremailaddress@example.com", "HORDE BOGUS REQUEST ".date("r"), "Requestn".$request."Servern$server", "From: "Server" <youremailaddress@example.com>");
die();
?>

That will send you by email any requests with headers to the script, be those legitimate or attempts to exploit your server.

I will update the topic as soon as I have time to correct the script.

This was verified with psa-horde-3.0.5-rhel4.build75050824.12.

UPDATE: The problem is solved on Plesk’s 7.5.4 build 75060413.12, which includes psa-horde-3.1.1-rhel4.build75060413.11.

Entry Filed under: Linux, PHP, Plesk