• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Vulnerability in Horde

galaxy

Regular Pleskian
The version of Horde that comes with plesk 7.5 and I believe 8.0 has a vulnerability where it lets others abuse the help system to run arbitrary commands on the server allowing themselves to download & install code on your server, open up sockets and run shells.

See: http://www.securityfocus.com/bid/17292

I've just been hacked. Horde says they've fixed it in 3.0.10 and 3.1.1.
 
I manually patched /usr/share/psa-horde/services/help/index.php back on April 4th, attached is my patched version.

Drop it back in the same folder.

PHP:
<?php
/**
 * $Horde: horde/services/help/index.php,v 2.80.10.1 2005/01/03 12:25:45 jan Exp $
 *
 * Copyright 1999-2005 Jon Parise <[email protected]>
 *
 * See the enclosed file COPYING for license information (LGPL). If you
 * did not receive this file, see [url]http://www.fsf.org/copyleft/lgpl.html.[/url]
 */

@define('HORDE_BASE', dirname(__FILE__) . '/../..');
@define('AUTH_HANDLER', true);

require_once HORDE_BASE . '/lib/base.php';
require_once 'Horde/Help.php';

$title = _("Help");
$show = String::lower(Util::getFormData('show', 'index'));
$module = String::lower(basename(Util::getFormData('module', 'horde')));
$topic = Util::getFormData('topic');

if ($module == 'admin') {
    $fileroot = $registry->get('fileroot');
    $help_file = $fileroot . "/admin/locale/$language/help.xml";
    $help_file_fallback = $fileroot . '/admin/locale/en_US/help.xml';
} else {
    $fileroot = $registry->get('fileroot', $module);
    $help_file = $fileroot . "/locale/$language/help.xml";
    $help_file_fallback = $fileroot . '/locale/en_US/help.xml';
}

if ($show == 'index') {
    $base_url = $registry->get('webroot', 'horde') . '/services/help/';
    $main_url = Horde::url($base_url);
    $main_url = Util::addParameter($main_url, array('show' => 'entry',
                                                    'module' => $module,
                                                    'topic' => $topic));
    $menu_url = Horde::url($base_url);
    $menu_url = Util::addParameter($menu_url, array('module' => $module,
                                                    'show' => 'menu'));
    require HORDE_TEMPLATES . '/help/index.inc';
} else {
    $bodyClass = 'help';
    require HORDE_TEMPLATES . '/common-header.inc';
    if ($show == 'menu') {
        /* Set up urls. */
        $url = Horde::url($registry->get('webroot', 'horde') . '/services/help/');
        $url = Util::addParameter($url, 'module', $module);
        $topics_link = Util::addParameter($url, 'show', 'topics');
        $topics_link = Horde::link($topics_link, _("List Help Topics"), 'header', 'help_main') . _("List Help Topics") . '</a>';
        $about_link = Util::addParameter($url, 'show', 'about');
        $about_link = Horde::link($about_link, _("About..."), 'header', 'help_main') . _("About...") . '</a>';
        require HORDE_TEMPLATES . '/help/menu.inc';
    } elseif ($show == 'about') {
        require $fileroot . '/lib/version.php';
        $version = String::ucfirst($module) . ' ' . constant(String::upper($module) . '_VERSION');
        $credits = Util::bufferOutput('include', $fileroot . '/docs/CREDITS');
        $credits = String::convertCharset($credits, 'iso-8859-1', NLS::getCharset());
        require HORDE_TEMPLATES . '/help/about.inc';
    } else {
        $help = &new Help(HELP_SOURCE_FILE, array($help_file, $help_file_fallback));
        if (($show == 'entry') && !empty($topic)) {
            $help->lookup($topic);
            $help->display();
        } else {
            $topics = $help->topics();
            foreach ($topics as $id => $title) {
                $link = Horde::url($registry->get('webroot', 'horde') . '/services/help/');
                $link = Util::addParameter($link, array('show' => 'entry', 'module' => $module, 'topic' => $id));
                echo Horde::link($link);
                echo $title . "</a><br />\n";
            }
        }
        $help->cleanup();
    }
}

require HORDE_TEMPLATES . '/common-footer.inc';
 
Thanks for the replies.

I updated my index.php by checking the diffs from the Horde project on that file. Essentially removing the eval() and replacing the line with:

$version = String::ucfirst($module) . ' ' . constant(String::upper($module) . '_VERSION');
 
If you are using Plesk 7.5.4, you can apply all of the updates and it will load Horde 3.1.1 (latest version).
 
Back
Top