This Week In Security: For The Horde, Feature Not A Bug, And Confluence

If you roll way back through the history of open source webmail projects, you’ll find Horde, a groupware web application. First released in 1998 on Freshmeat, it gained some notoriety in early 2012 when it was discovered that the 3.0 release had been tampered with, and packages containing a backdoor had been shipped for three months. While this time around it isn’t an intentional backdoor, there is a very serious problem in the Horde webmail interface. Or more accurately, a pair of problems. The most serious is CVE-2022-30287, an RCE bug allowing an authenticated user to trigger code execution on the connected server.

The vulnerable element is the Turba address book module, which uses a PHP factory method to access a specific address book. The create() method has an interesting bit of code, that first checks the initialization value. If it’s a string, that value is understood as the name of the local address book to access. However, if the factory is initialized with an array, any of the address book drivers can be used, including the IMSP driver. IMSP fetches serialized data from remote servers, and deserializes it. And yes, PHP can have deserialization bugs, and this one runs code on the host.

But it’s not that bad, it’s only authenticated users, right? That would be bad enough, but that second bug is a Cross-site Request Forgery, CSRF, triggered by viewing an email. So on a vulnerable Horde server, any user viewing a malicious message would trigger RCE on the server. Oof. So let’s talk fixes. There is a new version of the Turba module that seems to fix the bugs, but it’s not clear that the actual Horde suite has pushed an update that includes it. So you may be on your own. As is pointed out on the Sonar Blog where the vulnerability was discovered, Horde itself seems to be essentially unmaintained at this point. Maybe time to consider migrating to a newer platform.
Continue reading “This Week In Security: For The Horde, Feature Not A Bug, And Confluence”

XBMC On Xbox Keeps Going And Going

It’s no secret that XBMC just saw a major release with version 9.11 Camelot. What many don’t know is that development for the X in the name (Xbox) stopped two releases ago. That is to say that Team-XBMC no longer officially develops for the platform because of its inability to handle true-HD and many types of compressed content.

But, remember that this is an open source project. Just because the development team has moved on to more powerful hardware doesn’t mean the end of the 733 MHz wonder. There have been one or two folks maintaining the branch and backporting as much as they can.

It seems the that Camelot can now run on the original Xbox hardware. Both the skin and video playback must be set no greater than 720p to ensure smooth playback but that’s not much of a drawback considering that all video being played will still need to be upscaled to get to that resolution. There is also a repository of Xbox friendly skin hacks that allow newer skins to play nicely with the meager 64mb of ram available. So rejoice, you can have Camelot, and it’s crown jewel that is the new Confluence skin.