A few key posts from that thread…
Again, it may be just me being paranoid…but I just want to make certain that I did not miss something that I may wind up paying for later. The posts I found is below…only one forum talks about the vulnerability being able to root any machine running horde in cpanel:
The two forums I found in the google search:
This one actually stating the vulnerability:
This one disabled today when searching google again this morning, but did not give a reason yet:
Again, I just want to make certain, if this is not the case great, but if it is, then we want to make sure that we follow suit on our servers and disable it until the next update of horde.
Apparently root access can in fact be leveraged through the bug (start edit I have no proof of this myself, and I’m not entirely convinced that escalating to root is possible, simply due to lack of information end edit), and according to one cPanel staff member, disabling Horde will mitigate the current threat. cPanel is aware of and working on the issue at this time. That’s all the information I have.
cPanel has collaborated with one of our partners to work to patch a security vulnerability in the Horde webmail application. HostGator has graciously provided information which will help facilitate our creation of a patch. As soon as the patch has been completed and tested it will be deployed to all cPanel builds. The completed patch will also be sent to the Horde Project (http://www.horde.org) for inclusion within the Horde codebase.
At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time). We recommend anyone using Horde or Horde Groupware disable it until the patch has been released. Since this vulnerability is contained in the stock Horde distribution and not limited to it’s use on cPanel servers, we recommend disabling Horde on all platforms until patched.