Horde patch

[evilrabbi]

The version of horde that is shipped with plesk is vulnerable to remote execution in the help module. This can lead to unauthorized people having access to your server. I'm sure swsoft will issue a patch, but untill then you can use the patch I wrote.

Add the following lines of code to the index.php file located in
/usr/share/psa-horde/services/help.

add it after

$topic = Util::getFormData('topic');

and before

if ($module == 'admin') {

After a patch is issued by plesk remove the code then update.

$good_module = $module;
$bad_chars = array
(
"';'",
"'\''",
);
$replace = array
(
" "
);
$good_module = preg_replace ($search, $replace, $good_module);

$module = $good_module;

cheers,
evilrabbi < evilrabbi <at> gmail [dot] com>

 

[MMaverick]

The above code didn't exactly work with me.
I changed it to this, which worked: (I did a few tests to make sure it did.)

$good_module = $module;
$bad_chars = array("';'","''",);
$replace = array(" ");
$good_module = preg_replace ($bad_chars, $replace, $good_module);