Advisory 01/2009: Horde_Form_Type_image Arbitrary File Overwrite Vulnerability

                         SektionEins GmbH

                     -= Security  Advisory =-

     Advisory: Horde_Form_Type_image Arbitrary File Overwrite Vulnerability
 Release Date: 2009/09/18
Last Modified: 2009/09/18
       Author: Stefan Esser [stefan.esser[at]]

  Application: Horde Application Framework <= 3.2.4
     Severity: PHP applications using the Horde_Form_Type_image form
               element can be tricked into overwriting arbitrary files
               writable by the webserver which might result in PHP
               remote code execution
         Risk: High
Vendor Status: Horde 3.2.5 was released which fixes this vulnerability


  Quote from
  "The Horde Application Framework is a general-purpose web application
   framework in PHP, providing classes for dealing with preferences,
   compression, browser detection, connection tracking, MIME handling,
   and more."

  During an audit of a PHP web application which is based on the Horde
  Application Framework it was discovered that form elements of the type
  Horde_Form_Type_image trust a user supplied temporary filename which
  allows to create or overwrite arbitrary files with the permissions
  of the webserver.

  By overwriting writable files within the document root like the Horde
  configuration file, or by creating new files within writable parts of
  the document root directory tree it is possible to upload arbitrary
  PHP files and execute them which obviously leads to the execution of
  arbitrary PHP code.


  Within the Horde Application Framework a special kind of form element
  exists that handles image file uploads. This form element if for
  example used within the Turba address book application. These form
  elements usually move the uploaded image to some temporary file with
  a random name and verify that the file is indeed an image.

  Furthermore the Horde_Form_Type_image form element contains a feature
  that is meant to allow reusing the same temporary filename on reuploads.
  In order to support this the previously used temporary filename is
  stored inside hidden form fields and which is then trusted during
  upload processing.

    /* Get any existing values for the image upload field. */
    $upload = $vars->get($var->getVarName());
    $upload['img'] = @unserialize($upload['img']);

    /* Get the temp file if already one uploaded, otherwise create a
     * new temporary file. */
    if (!empty($upload['img']['file'])) {
        $tmp_file = Horde::getTempDir() . '/' . $upload['img']['file'];
    } else {
        $tmp_file = Horde::getTempFile('Horde', false);

    /* Move the browser created temp file to the new temp file. */
    move_uploaded_file($this->_img['file'], $tmp_file);
    $this->_img['file'] = basename($tmp_file);

  The code snippet above demonstrates how the previously used temporary
  filename is extracted from the user supplied serialized array and then
  used as new temporary filename. It should be obvious that this allows
  writing to any writable file on the webserver. Additionally the code
  only remembers the basename() of the filename which does not contain
  the path. Therefore the later attempt to delete invalid images fails.

  Aside from the file overwrite problem the second problem is that the
  PHP function unserialize() is used on user supplied input which can
  be used for other things like crashing PHP through deeply nested array

Proof of Concept:

  SektionEins GmbH is not going to release a proof of concept
  exploit for this vulnerability.

Disclosure Timeline:

  24. July      2009 - Notified
  14. September 2009 - Horde developers released Horde 3.2.5
  18. September 2009 - Public Disclosure


  It is recommended to upgrade to the latest version of Horde
  Application Framework which also fixes additional bugs reported by
  third parties.

  Grab your copy at:

CVE Information:

  The Common Vulnerabilities and Exposures project ( has
  assigned the name CVE-2009-3236 to this vulnerability.


  pub  1024D/15ABDA78 2004-10-17 Stefan Esser
  Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2009 SektionEins GmbH. All rights reserved.