1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Horde arbitrary file inclusion vulnerability

Discussion in 'Plesk for Linux - 8.x and Older' started by DerFalk, Mar 9, 2008.

  1. DerFalk

    DerFalk Guest

    0
     
  2. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
  3. DerFalk

    DerFalk Guest

    0
     
    ok, but what can we do now? This fix is for Horde "standalone", what about the "Plesk-IMP"?
     
  4. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    The link I posted also has links to patches against 3.1.6. Maybe you can modify them so they apply cleanly on psa-horde. Otherwise you'll just have to bug Parallels about it and/or wait for a Plesk update.
     
  5. tiramisu_

    tiramisu_ Guest

    0
     
    a fix for 8.3 was requested from Plesk development, so waiting for reply

    permanently in 8.4 only
     
  6. buddaaa

    buddaaa Guest

    0
     
    is there any fix for horde 3.1.5 ? my plesk installation uses it:

    # rpm -qa|grep horde
    psa-horde-3.1.5-suse10.2.build83071218.20
     
  7. tiramisu_

    tiramisu_ Guest

    0
     
    8.4 comes with 3.1.6
     
  8. tiramisu_

    tiramisu_ Guest

    0
     
    should be available at the end of April
     
  9. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    All versions up to and including 3.1.6 seem to be vulnerable, so I hope that is a patched version of Horde 3.1.6.
     
  10. faris

    faris Guest

    0
     
    It is not clear to me if this requires the attacker to login using genuine credentials or if no authentication is required.

    Can anyone enlighten me please?


    The patch appears simple but I don't want to apply it in case it breaks the Plesk-modified version.


    Faris.
     
  11. buddaaa

    buddaaa Guest

    0
     
    so there is no fix right now ?
     
  12. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    If you're using ASL, this does not effect you.
     
  13. buddaaa

    buddaaa Guest

    0
     
    no i don't use it. which feature protects against the bug ?
     
  14. DerFalk

    DerFalk Guest

    0
     
    For me as a hobby-server-user it´s too expensive... :(

    But you ASL-Guys do a great job!!! :)
     
  15. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I believe the specific SQL injection rules that get it are 340013, and 340017. We've also got a virtual patch for it now, which doesnt have an ID number yet.
     
  16. Shazan

    Shazan Basic Pleskian

    23
    23%
    Joined:
    Apr 14, 2004
    Messages:
    37
    Likes Received:
    0
    It requires valid user credentials -> http://secunia.com/advisories/29286/
     
Loading...