Horde Security Vuln

system · March 6, 2008, 1:37pm

Just a heads up- lots of hosts are disabling Horde webmail due to an undocumented and unconfirmed Horde exploit.

I went ahead and disabled Horde on all of my InterWorx boxes by commenting out the webmail/horde lines in /home/interworx/etc/httpd config files.

Figured that I’d post this here as a heads up to the InterWorx team and other users.

Justec · March 6, 2008, 1:49pm

That link requires a login. Can you post the info here?

system · March 6, 2008, 2:02pm

A few key posts from that thread…

Again, it may be just me being paranoid…but I just want to make certain that I did not miss something that I may wind up paying for later. The posts I found is below…only one forum talks about the vulnerability being able to root any machine running horde in cpanel:

The two forums I found in the google search:

This one actually stating the vulnerability:

http://forums.hostgator.com/showthre...post%20target=

This one disabled today when searching google again this morning, but did not give a reason yet:

http://dotable.com/dotable-announcem…-disabled.html

Again, I just want to make certain, if this is not the case great, but if it is, then we want to make sure that we follow suit on our servers and disable it until the next update of horde.

Apparently root access can in fact be leveraged through the bug (start edit I have no proof of this myself, and I’m not entirely convinced that escalating to root is possible, simply due to lack of information end edit), and according to one cPanel staff member, disabling Horde will mitigate the current threat. cPanel is aware of and working on the issue at this time. That’s all the information I have.

cPanel has collaborated with one of our partners to work to patch a security vulnerability in the Horde webmail application. HostGator has graciously provided information which will help facilitate our creation of a patch. As soon as the patch has been completed and tested it will be deployed to all cPanel builds. The completed patch will also be sent to the Horde Project (http://www.horde.org) for inclusion within the Horde codebase.

At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time). We recommend anyone using Horde or Horde Groupware disable it until the patch has been released. Since this vulnerability is contained in the stock Horde distribution and not limited to it’s use on cPanel servers, we recommend disabling Horde on all platforms until patched.

IWorx-Paul · March 6, 2008, 3:03pm

Thanks for the info Alex. We’ve contacted hostgator asking for details about this supposed horde exploit so we can release an update that fixes it, if neccessary. If anyone learns any details about this that they don’t want to post publicly, you can e-mail support@interworx.com as well.

Thanks,

Paul

IWorx-Paul · March 7, 2008, 1:16am

We’ve released an update that fixes this security hole in Horde, and a handful of other bugs that have crept up.

http://interworx.com/forums/showthread.php?t=2702

Paul

system · March 7, 2008, 5:27am

Glad to hear it! Thanks for the quick response to this security hole. It’s much appreciated by the community, I’m sure.

Justec · March 7, 2008, 3:50pm

Yeah, standard Iworx practice to take care of these things quick. It’s great software on its own, but even better with the great support behind it.