Horde Kronolith Arbitrary Local File Inclusion Vulnerability
29 Nov. 2006
Summary
Kronolith is "a web-based calendar system written in PHP and utilizing the Horde Application Framework. It is generally installed along side Horde's IMP web mail product". Remote exploitation of a design error in Horde's Kronolith could allow an authenticated web mail user to execute arbitrary PHP code under the security context of the running Web server.
Vulnerable Systems:
* Horde Kronolith versions 2.0.1 through 2.1.3
Immune Systems:
* Horde Kronolith version 2.0.7
* Horde Kronolith version 2.1.4
The vulnerability specifically exists due to a design error in the way it includes certain files. Specifically, the 'lib/FBView.php' file contains a function 'Kronolith_FreeBusy_View::factory' which will include local files that are supplied via the 'view' HTTP GET request parameter. An excerpt from the code follows:
As you can see on line 179, input validation was done. However the resulting string was not used on line 180. Instead the unfiltered variable coming directly from the attacker is used. By utilizing directory traversal specifiers and null bytes, an attacker can trivially cause files stored on the Web server to be parsed as PHP code.
Analysis:
Successful exploitation could allow an attacker to include an arbitrary local file on the affected host. Due to the lack of input validation on $GET_['view'], directory traversal specifiers could be utilized to parse any file on the system as PHP code.
Vendor response:
The Horde core team has addressed this vulnerability in versions 2.0.7 and 2.1.4 of Kronolith.
